General

  • Target

    c4a88edc19372fb161b492057f1394b2739a79e35e8285430bd7cf0ad62c03a7.exe

  • Size

    90KB

  • Sample

    240726-gjqrystaqa

  • MD5

    96e7ffb9edc2f7592c34a4d841ba566c

  • SHA1

    d43df00b7a91966ac3e10e324a57d5658f84d88b

  • SHA256

    c4a88edc19372fb161b492057f1394b2739a79e35e8285430bd7cf0ad62c03a7

  • SHA512

    fc6d4038293b78ad3336c5533dae1fdc59d4f0786d588bc3f5b4c2f2d147cbb1c9a40a058ecbd3c226c97e965f5cea58c0ff47e2697dadc0db416e4a20e93d0d

  • SSDEEP

    1536:J555555555555pmgSeGDjtQhnwmmB0yJMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rS:2MSjOnrmBxMqqDL2/mr3IdE8we0Avu52

Malware Config

Extracted

Family

gandcrab

C2

http://gdcbghvjyqy7jclk.onion.top/

Targets

    • Target

      c4a88edc19372fb161b492057f1394b2739a79e35e8285430bd7cf0ad62c03a7.exe

    • Size

      90KB

    • MD5

      96e7ffb9edc2f7592c34a4d841ba566c

    • SHA1

      d43df00b7a91966ac3e10e324a57d5658f84d88b

    • SHA256

      c4a88edc19372fb161b492057f1394b2739a79e35e8285430bd7cf0ad62c03a7

    • SHA512

      fc6d4038293b78ad3336c5533dae1fdc59d4f0786d588bc3f5b4c2f2d147cbb1c9a40a058ecbd3c226c97e965f5cea58c0ff47e2697dadc0db416e4a20e93d0d

    • SSDEEP

      1536:J555555555555pmgSeGDjtQhnwmmB0yJMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rS:2MSjOnrmBxMqqDL2/mr3IdE8we0Avu52

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks