gandcrab

General

Target

https://gofile.io/d/J0F9V6
Sample

241117-gznbrstbld

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\QOENU-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .QOENU The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/c1f2c8f0bcff494d | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAANChtdxe4KCuGVvPmL6mVjj0dpWHS0SLwAsIxTDRhfgpSKA2m2F3ktqMck1kW3fh11T0ur6QUKzShZJ9VkejxOM/5DJegpgUrBUJGXToriHErXi2o1yE5blCNNOfoZI1A2yymJICxZMEelvQyb4h1ZjvzTECYOBTgJY1fdWnHBVZs3nI0xjhvhvwQVd8ZbRMfRYJ3hx+0fMc+PQ6tlxw+UnSPurAFzB6MaqDGOJ6Xx7K4sAnRpxi2FoIkGj7KhyxD2X54TcDnZzDVyM4j7D6o3pL3E7lcs03py0jOc5XauQPWZKfS9XFrGU4aOmV3k9SFuhdMGv3Wlr+IcLGVMr598HR+IMg4q5lJIhHKktuJnEgOfPvMjvjq8Tou+MrcaxKOD5T1XUCeIMnSze0o0RYwKs+aRWl0v7meYLey3DU6zenqJHpeQ14jHp2pwEs9odyPr+i7OG9hc9lY8/ElZ+0hiKIxNxG8GTusDaNUECGmm2O9/CbDzPaW0OrWVb4i2y4U7Pz2+My81pArft0wPz7q80mVxm9+Z/D6EZ4vGJiwpBPB2cy3tHBef7iyTtM80iTFyNOlqJmR9+bWD9iGIEllDTHaa+S/BXcxGD8HyaY9I79NGMBJWK7FZJp0ha5X/uRJH0a4ePvS7n4OaaeqNvxKkFgagaErxUMAVrVb5ZRgGa79jzWQHEu7JaSQDKiUlIB8tPCyoj85s/DkJR98dq2VFWkEngdiHah9Ow8HRrQZDspK55gBheESKH1j4idkRtz6jFcAHY0HdqNpc96rijWOS4lIPouRQ0V/FnBZlzHc2h1JHmfQ6kLW9Mb5xq6RLxKpfYYtvuSxkpxfRklGCniRHgCoIrutJpaP3dY3GYCupti0zODHmm2FcvXJ9EIky08Ag3oiEO061+igwhNIYdp7zC6nXQSd87dSTUfi0E2lh6YrrAptdGlez1fDOVeVWK9+Mkq7oOXS08L/fT7ReU7jayWXXCAN7K/B4smYKgC0vRNyqxSMbqv5l5HlO9EcenTBhhZIvjSWQA7LTo7GyYEnXN6xo7Hw04Zrxi0rmqbsmOhpX0kdtpUJGfpl/Uqm2e2xu4w5mzxAfTutH5oxh6Rx92etDHrRLJtfLy6xyosxBIel8jqLo1Godxs8qzUQMXxHAkrCdgtwPo1yH/BYXjJk9iTsqm4WSLOij1AR5no4L7ZWI08qownNPvGIQEczKcQP/Sxg/cOZspfFgv52WEsdIBrIRU7quk8ZoW4cYUdFqYl0RbSNipfEXaxlsotEJ+1GwTbO4Y1qXun0PnPWPTOoPnekc8IBiggRXIrX4DKwEs3080OouUCpebRQasiIJXrimpNQLko3dxhtuyLhr58QvhuBhnXo9miA+q842TRnrLpf0x1wcG9Qj5RJzQDLYIIPvBVxqhs/53Vo8CCLblHTAhVAmrQzZd0VG/L8o9T00t3K6tpEiMFkukyEAgtMbtQfKK6hPj2CyfJQczM3MP43IQp4ExAAk7Dp1nzpK4EjiXlEI1FvUXBi5PF8Lnzj76w3/8MiGaAbqnDzQVrwhM+tlcKIVnkWnCMPbYJOglTRj05b94AADJOhxZDmzcFJfC9Rl7P/a9ol8RAEb4F6ZWrf/oUGiV2AQuPrkHypRN7grcE9M5mH3YClsAP3hInjzgb4I+rpyAbCql+7mfF4dlFj+cRAt69AsJCML9VlKQp5Sd09J+D0ibT+aSpwjjKbdGiQ48Aa/eErrD/0IX98q4nQaW5DuVD9gz60BXdUBOdGuSDWhhIU7LwSfU5BZ8l+7GTE4P2IedizLwN7OeByXQS+0rwucpm2s+JKK/SJGEecTRlo11bPbQlxwKXMDCVqnsgq5xS5NscECLEYudTqEdQf7O9nnHgiffVOYrNseEaHkQ/LkWpPI5lpsRmWGLrVEhI72bsQ5Qyc6qWUlcv2F8cpAPMb2I3z2RD4gUAT6WtlpNmGTwYiN+GdAAnTZDMVqWVSNcYzxxrvuyquNm1SA6Yoe+xwL0zVW1/h7GqskWts/eTYbbpeNDsWS1ae0kBPQJp9Z9eQhxnHeLIWiopo/YxfuSl2DD08/RXMiiP4aNMgus5w51t4QTVqFw3acYXjfelbe8sEoRmOM3MkxbmFCUqEp3Cwj8wgqytTGt2LuTJi1oVxosybcE/Zevi9/wzW1Rqax/29kunxhzgGSfs7Gf8PtPrLwE0R9ZlSHI4fxt0UQ8+imTp4rPg7YaT0W8R071Yjxvn3mY= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59NDJJpDZAveVq+DMRWDIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJLtAMBnJqrMZtR+i3Z7HMmYaR30fWP4/y+PNsLLDjDaP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypy8H1f2lVzmR7qt4Auw5gT+wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxtQXIEb1UEGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/c1f2c8f0bcff494d

Targets

- Target
  
  https://gofile.io/d/J0F9V6
Score

10^/10

gandcrab aspackv2 backdoor defense_evasion discovery evasion execution impact ransomware upx
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies Windows Firewall
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Modifies file permissions
  discovery
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1