gandcrab

General

Target

RNSM00350.7z
Size

3.5MB
Sample

241109-yps8ps1dkr
MD5

982af95b63378afb632aa782abff4687
SHA1

c0f248b4142b1b226b8a3b370662193eacba4559
SHA256

062ec652ee4d6b0b3a49eb28d3e1acbda510e05104f7567d9080a2b1d9ee5577
SHA512

58972370e742b87eaf42ffcc041f26cf98b9d37fa52bc2388fc9e42dee847c303ce85698bf35bf28bd6fb299571f07ece08ffa453f034ad842d91581a614f63d
SSDEEP

98304:BGcHrCjqzcbp9tuPcgg0ayD0mZUjRcZU0qopxP:BjrHituEgg05p6jRv09P

Score

10^/10

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\QLVSTQLJ-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .QLVSTQLJ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/f86c96cab488d56b | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAA1M43xgPSXo+WJHmBRY9x4Cj5edzoCTLd9udJbk9CsHvfvMV39CXqdNS4gkp1ZQFPdYS8mixRKOaFIdBOl6qcgjDBH+HW7M/pHL0knAlCsHf+y8y0giXzvsMUvbcDuSF8/trC2btqPzL75D/hbIWzSfsQHEEWYhM42cQcXnae16k1PTVT404fIfSkefT9wIMb4xBgJa8uq/Vzrblqr0+y6Ayak/Pdfa3/YBVBLEobKaC0S4Lsdh+xMF7YzYJj60dwdE31O0KkT+5dNgKozi3sQIgQwegb49YFZjYvCtb3CCaf5WJ8s60ipF0T9WTNYoyAlMk1NWlLPnJrt0raA5eQjRwctqbtXxatDGZUxs2Bj5/Ki/Gksv5zcQ4UgHKJgB/STsL7qF2HqYelwceOheiJxUcx1dwKRrX5on1TFVfeqVtCphzhYyK2XgC9CvD8rHHHm6nqbT8pocev1va8FbNsTiGCjPYBfM/xQWEIq5GNXJXUVHn55PgcaHu92pa7h842q2RDE6t4i5Aii4SiHiVwEvbgbmYkwicI5jVzY274870rfmO4nxXTUyg1D6VudA3jTVb+6rJumnxxoAfT/lyxWuUQozyeRrH2aRBeEpCBXDwtlGPFdM5RQGXKAtfLFL9nK2Kj9vmzzAevS0tMIXHQnQjlGFLl2Zp4tcYqJ/dmpSwZak1Cqy5N1xK3UHsyVRAGOQF0rYXMp7T93t/mH4qu6h7nj0UJJmPvITWS5YXYAIzM8dBSGleUkgoc6umXEAhjViC37Y3f2UhozcoMaYJfZ6ljE7YzkegNH6al/vmReQTPADrFgchWsOkuySw0i8rQfJ1kh2DYWgzi9RGlZWs5V0gGVV6tJEMXY7+mpYdDDfqdP4kb5ZDeicoBagyJrTH2wj5z2MAeoy0Acr2hQu18qsPfYr2eVsNO7B0je6ZX4QRNKLS4LEBR1ol3GHSnneJjc2I96npZQXRFT+HTUsZ76VWvssU3HLvfr5RkgFe/AB2U15Y19VmKlbsT50e1RHqxoEcx3fhNHWKDfEpgQ55y9giOJjtcghry2OqrHYINTva1yrpYZX1AJ4bcdM5kaFw/zpG8YmGt6sfa/SbaxabAsak1cM+yV2uh3hPlAyjz7kPQ8KC3E9oLC3D5OBuPyo5UB03qALCEp8QH86GAZ6JeWRNVBzdrG/da+RZqUhHGcpq0FfCcgNINtC5iiRbXancrZWhZTeispPD8OaOrmNk/zIg4ItXhtS84l8hM9cdV6Ba8wYHwvnsq4l7wpVxG3IQTwQipl5K2ays2iZkruNbQnhizryhuur0h3iuN9jlrkT3eScvEuvGmIMQXgoVYnEnPV18Z1mf5PTYq+IWYlmsZ6PUb5ap7YDJg2wnXcfrbpu55Jx51Ilfj64b/iCubiYjdKcyo9hVHiQ2PUPIfAO0sKlVuDAD5DYAHOn9H+qcEP18RQpXExQM4vJXYJrgGzLCQdhdvFVOujMb3uW2hRBcDNc5JsjT4++XbkT8sGoivC/4qxu5X6Yi+PS+DaN2XOnyEZm2gamFqYPgTmWFsirHG2pTW68ayxkkV7nDCMH93yQQUJFxFStYOSyS/WNRjDYku37s6vikypnhscdPG9wcY3hqgsu3QfAI3TeeGQLdyVtPvkQ35h+PHXgbcXW80V5tqmReyaxfZV/AhCL2C6hpPDFYhWmJ5X5baTYCq28X7yMYwwZiDEUekapW4OGeO7zIkeA8MEoKi3xZ91lOuV/xfX0IN952gSWyigLyk7On+t0s6GzOl+FG6dwpgpaHaHK5NWqK9OnumPQqkSx9+0wALPTwdbFGbBlHaFBqr0Hz2z3AzwF0vGuEdsoPR/vhlNR8Zw9hifKKBzaANplIzzxWZFxfopGG3HbJxSsx3igAzEO0B0GXLBThvloEKRWSpsKREuxt5G1MNe1oP/2SZXbRHJ+fn4MwKGWS2mEJfs9RGrE3q8ii8U3GbBW8dUdNAEletAd0/rNY/O6/DIFSmg5ziKasWEr/iBqcwL0/p7iwu7XzKNj8J1louH7NCUykFzavpJo0cbgcbDhama9IRLfLf3teL6aFfqdTfgwNt3JIJmin4JiuytWwTZ4zGvC8DAY9b+NZvis1r/TftL1oMdfSZXVayqafYKl9/Ty/jr1SisbysXFcIgngt89YpqfopUd9SntTApGqR23eOpgswP0sZr+4cLIIJGyobeggL8LBH8sfDLFdjJzHmIHMK6qpbNwJ1t4zF8= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZHTp1RvXYM7nxWqLfHTHGHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BitbF6kU7Bs+Kt/2A2Qut3GolYaFqLBi/t+RHTEd8b8ycE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9KwA70ZinpDxFJ3vTLM+ah1wYZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhH9TQ3HC3qZEEvXtdUj8BYRMbJH8Hp4Oar+NRZwP9okRV/rusrPFzMH9OHYBh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhPlLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/f86c96cab488d56b

Extracted

Path

C:\Users\README_BACK_FILES.htm

Ransom Note

<html><header><style>body {background: grey;color: white;}.c {width: 50%;margin: 0 auto;padding: 30px;background: rgba(0,0,0,.3);border-radius:30px;}</style></header><body><div><center><h2>YOUR PERSONAL ID:</h2></center><div class="c" style="text - align: center; ">0xT1nV7XWExxeWtsYWFQcWxlZ09rRms= </div></div><div><center><h2>YOUR FILES ARE ENCRYPTED! </h2></center><div class="c">TO DECRYPT, FOLLOW THE INSTRUCTIONS BELOW.<br><br>To recover data you need decryptor.<br><br>To get the decryptor you should:<br>Send 1 crypted test image or text file or document to [email protected] ||| [email protected]<br>In the letter include your personal ID (look at the beginning of this document).<br>We will give you the decrypted file and assign the price for decryption all files<br><br>We can decrypt one file in quality the evidence that we have the decoder.</div><div><center><h2>MOST IMPORTANT!!!</h2></center><div class="c">Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except [email protected] ||| [email protected], will decrypt your files. <br><br>Only [email protected] ||| [email protected] can decrypt your files. Do not trust anyone besides [email protected] ||| [email protected]<br>Antivirus programs can delete this document and you can not contact us later.<br>Attempts to self-decrypting files will result in the loss of your data</div></body></html>

Emails

[email protected]

[email protected]<br>In

[email protected]

[email protected]<br>Antivirus

Extracted

Family

nanocore

Version

1.2.2.0

C2

194.68.59.34:54309

Mutex

b6738a3a-4c73-44b0-84e2-2309553ca598

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-08-14T03:25:16.009296436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54309
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b6738a3a-4c73-44b0-84e2-2309553ca598
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
194.68.59.34
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  RNSM00350.7z
- Size
  
  3.5MB
- MD5
  
  982af95b63378afb632aa782abff4687
- SHA1
  
  c0f248b4142b1b226b8a3b370662193eacba4559
- SHA256
  
  062ec652ee4d6b0b3a49eb28d3e1acbda510e05104f7567d9080a2b1d9ee5577
- SHA512
  
  58972370e742b87eaf42ffcc041f26cf98b9d37fa52bc2388fc9e42dee847c303ce85698bf35bf28bd6fb299571f07ece08ffa453f034ad842d91581a614f63d
- SSDEEP
  
  98304:BGcHrCjqzcbp9tuPcgg0ayD0mZUjRcZU0qopxP:BjrHituEgg05p6jRv09P
Score

10^/10

gandcrab nanocore remcos troldesh backdoor credential_access defense_evasion discovery evasion execution impact keylogger persistence ransomware rat spyware stealer trojan upx
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Troldesh family
  troldesh
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Renames multiple (374) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1