General

  • Target

    2024-12-15_1f1bd29d45c5ab7b60bd03e37e3e2c01_karagany_mafia

  • Size

    250KB

  • Sample

    241215-dwwxystrgq

  • MD5

    1f1bd29d45c5ab7b60bd03e37e3e2c01

  • SHA1

    6c36fc36ba6f88dd4dc22b5801a14d61c70f44b4

  • SHA256

    7da47ee5bb9211fa7e07b158c4e9a425a69cbae6bdbcb7200e09593d74d37e37

  • SHA512

    5cc9b9a5e0dfb6f03bdff7828cc637443f54b16c977e8c3998573fa9fdb268a4202d2d87a92371c8ea5fb37b6eae293ae760bf17b3c6f89446a8821ceb1ce522

  • SSDEEP

    3072:7HvXSC+AQalUoA/INvHc7aEBN82RSVRnoxhsI/5muYDAuBauuuuuuMuWauuuuuuw:7D+A0Z/IlbctOR4hsI

Malware Config

Extracted

Path

C:\Users\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/2d647aca69586c53 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAB3kblpPh6qkJI4pQm8nS9b83WCrtimzBsfcaG66IzT3/87F523WvamAG/7QKfzJgdBTQpI7MAhOT7/YVUxBOtdKGrM84ARduXxeVBSsk89e1tNowVad/EXWrI/4AAX+PZuNOFTiFAHWJsiZuHjU2JehxuU4KpzW+/iwo1pZPX7u/hKp255B5lXGj9ad/1DtMKK3nYzB5Rvr0eyEePM4TNY7MxwuvrrRY4vlNe3gn/Tkaw41wxk5tZXS1+JqMO88f6gqtLEf3Fdq5kIRwjk/Cvyrx44m7gc525SlS4Yh2bqW2yh8ieQfjHIPbPY90GdLxbs89hVkVajtxsYyP0Uq6TI3+2snHr4ZkdzuZD69eVHQwvnIdZil/mG1FGUw325PJbyzPPrIPn4cl5epTMuh5cXtQiAFBmjv8bNlD0CAWUJEoJNamDHgIwwkLOs+8Rre4vWzS7XiuEUzWzjVXcOmclfSp9W1miTuIKqJ6h8PXSxZkuZyv0NAHpqxRWh0rNZ0NoCkKXDCv3ncUrU+f9O0QQjVFFB5s15CGHaeamglLFtjF/lfaeiLtpcIOkgSEmgO1EdXxDWMfrpqXtm1NqlMSFrkAY0J3SuQTTr36KqU2OW7MonAupESftslG7DtUpWfjezrkWizOGRMPVbLDj+XS2RiYOFq22VUAHutlnMz2f+A/8q7xX9T5PM4FOoOeaEi8vtmY9k9y6vrA5Zk4aJheiLDtLuddq6CZIYaAcV7+7QuYS4n78/RPXO7Et4zhRh8rFAYXFAbzn4okCUVd1gh9YSMrLdR+xnwoP+sIsFGFM3PIPKs3iRd9dnJoqwv6BhC2kYc5HshzNS3LROaGWwqJ2G04BdlFr5TlUQC4NY9b7wW3W+0kVUrH4UwMHuYaNTTuITBvwNFOJ0cQYnixT5GFsr1Ob8W0JZwUksyfjfXv0Zhr1Vajvo6zFoQqmmX9/jtk223n0djD1w2Q695HB8bhpcWpdbYercC6XBSr2Ncz+3LaA4QuYyjuJVq21PBh6L1I2xsc+sBlOxiCGQSagsp3Zuy/lVTKHbrnK978L7H05w9BosKmPuztxiEm3GULNJW+fYxyBMH13WASudl5m13EKNMa7SXW1ELfipCoweq2uvU+KliDKGZxSAzxvUPQFGq8aDwCGusZvALm0W2aMalLpW3TYtAXEBrT1XJr1vdYGp9t44H0suuv6Xbrv/IJ+laR+f++0AqXZEQnW2dIyRyr8TnOQoPtW8H9k5VJ1CwL6ea7XkGl3QoIsXZGpm/fspBSOinXdw7uYXqZDK4CSPF+irsOo4UJgcFFf2GdXNaCePKfAsvrHa4pjwRuHq3wYG726l5GSOqAcTM6KcihPa1sla0m74Y0Tk3IuKeHNANRE1fjBUVZTiZeYZ7f2UaN4A3cNdWn8Wg8rB3po4KjW5A2AkdLQAjEBDYlzIrBL7JWmPiK86IZ2GXIuMWHcsXSCfO0jVSxHynzwny3LHJtho/cLE20gBMlMpPNySO7qOHbon5oTO3w2YgigLMr4anLCcWAgpQeQgHMvjXabDGxVrZQAaRmC48N1kj5aGGLHP3+5Dp/MoAaX3JvzA45xheYSrd0+QAu4dYdtyrA5W1lmk2S6Ec9ORwBmqM8I40u8f86a4Fzi7BKvI5ES/8FNGbkvq1anXXyKwNKK2f30KIFoj/BzQx02o2q81SOPqZUDpf7hvilf+1R+obJj7yfaBns+NPQfVrzQaI0bILWw3NAEe6crOstqa0zrg3X2Z02RRAcRbaVNvw96BwAqcf5KtYFTtUXwSd1IbO/lO431kWgzZYTXGRoOvhmIYrjH4os+ttvdWgnK15bnpXXvDcID3WZW0Dg4b6lL+2weyiMtTyxwTR4Nal3mU5Iwow/brztGnU/5y4zzpWiTHayi1FrdbED3NJWNJqUoMZNVXxbO4KlpLMCSAspy9+NMQk3BnGOcVnhfjoK6JGBPwoBd4kaCyz8CtEfCXWLqgK77JFowzh1ea3SE8iP1CkaeG78pbyRaWsC0A/aiFJ8FLRX127J5D0JBxjh3z+ADTqAhi0GCEWoWZDEdTEqqkppd033tn8lFskhwXVUMG+of+bfHbUKSA+SWCxrQi+V0RAA4dGHzDEQRQLJMUlQWztv7vqBhYd6Mjz9WepG+lbDU4pSmL2BAHoyxUMHnv5skduzCRegXYEgkA7sOXKrUQbQLmkIUysSxIm4I4n/YCObmnlaqyDj4plglEBj9TX9Ts= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZHTp5RunYa7m1Wt7fMTHiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4bEmkU7B5OKj/zc2Qut3Gt1YZVqGBi/tqxGFEdwboicE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi/pDxFL3vfLOOao1wQZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHwHowOP7+LRYsPy4knV/fu67PJzMP9LnZDh5szqewLRaRtAf+EbjLWuuIPXpFeJdR69BFhflKE2uFgzGnXLQQzyAtYfjv5 ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/2d647aca69586c53

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/2e47ffacd2ccbf3 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFotj7Yg2F0O1zUN23d2Scr5L5a+uZenIZB/rGYjbdMtU0KyIjaLvmaPTo51q6hYbtZGjuUm1G8djojYm89U7yBz5gdzOLXMNulvKKuVLmnYiih3jdegHI7TLCsUlmfLqirNP72+MBVcHCQO1Z1IVYB/EBXLC+s12kZORs5mqLG5vuwy9R80YEHC3RE7qFF+Iyt9P1atXSjjzDB9mxQy97Xf+YaeNH/KRHV1QhkFB0Hi5dM1AvRAy17D91MCNbuLKXT0HOwjDX9J1FfVLKfejgyBPvzVIYKxSl2FVsu1AeC+UIMjwLO1JfWkaeaURxD6uEUCNf8AnlHNDE5blW+EHxDmGygwfl/hnQ9F/2T88AjnLZ0O7HtgTStBkyfh3z1k9YYvciRqIwCTXcUQhdkOGoRYCV0h7jGqs/UOviwaUFPGehk42RrZrwIvWdk3ZQzY3znPhSPLeGWkAsD8qs4WBkugaIvrNUnIuJ4XBTdmGEFij70ZGKWg0iZMKBy716kCtlex4ZuhBBTvRel+QX95dcnKAs7R4vyUeUT6ACa1Hvlpi9XQBJvuJWGRPj6J4mpM9NtqCacncY0ZQbbnKog+ISffuaAoZGqpTBXZux/RJR1YhfB8gLSVr12s/LjmjHJRSvVI+cHMWy6yHDOD0i6S1jNxOmat/W+Tw8Zuu6TkY0tQrLBHX39wUzQ1BWT3gnJuDngHDRs/qQ3VvJ1VblmZS5iIpcu7oXM7zX7zlWf1eWQHK7JtnpceAohcFAWydkF9cbpD6uZi7rsI9RqhK7OZmGJP/sQHi8tEMiQBtZVPgZ0Z66c4h+x4R2yJE02UIFc0lsIZhZ2/brWZ/L0Sd0E1/xpnjliaSqpSfT33LKOCgEfSUeShhzCfnxqStGYH2hOKFGPbpArLiy78BEFJisTVgE1xJzS9x3EkFDkXaBzt06geC4qYsctdxisbaMVdcOXNFJVexZ+zmG+tgj6RVdU8rTLMZLglUMrhEgzvmlAkK3IhKRvoAKmPGh883Xzoc2EpOEqGwNRLowssR3yg241BVWiGxFKLrzi9UlUlt08CTN8mD1rcU0DkcFWKKT/GfjC+pXFfwyDB3MC0z9fRYG2CuHSGI+W/bLtVPMeADldI67EwM4M7Zqvr3AJRTqIT+VAvHRHY6NB1IOWWyNsfpUxtNHf3LSRSVhjqK3+65yRH3H7OMq4DUrBUHsSd5TNtCJgGznb00NrXu3NJ5H634J/u9ifhxjudZFQLlRgC0L7dFjVA7A6eldM5iqr7Jao7OyuzzEy/NfMY4mZ2uU6Ka3RBaf5Kr3I8FLA9SBN6DJCtw3YMzb5SPV/ua+gkG74G6tLUTp3RtlWgz8iTMy/GJOKMoLbVd5UxQF5n10eTUL7p5100m6chyYFEDMfEDcAQmF3TxChB7LvkrMQYgFdjAoVebxh1ro+FB8wwrRU09IXuRUBsxgWB/t60201w7+ewSnXrS/fWhdo1mtfJ5z++ANjvLvL87Tvxnjlf+9KH2iXKu9BBUsYBuTQs9XD6x6jtsas8K8NNZfvXniSG3eFDvBXGKglPtLQM6+8JrqD3SfI0NHnfpBmIogqmKIXMw5rgRLfadlJTw+TuQRjqa18uD8VY81LLJ90iwUKfM3HHBInP0Q4GbeK60wsPnysYPwKN4d+9NAWrV4r3s7jtvLqXBuw+sci32smu5EVQdlnB4Uf2FZisMjVBgtE62PqvWqu5M0iU7rV3v8OrZ+x/QkFLS4tQGilJHS3+FNi4EvH+mBLyG21QCxQSpYxcDKx+z0qJFUevvfU0J4ao+KkdtEdt5fvubDP2M+tIwsG99evZzvRaSsm7xuBkgrvythNDB8ujFi3xpGpF/YJ2FAle2OrtyjXSBqMJSJKgpINWm5tWE8aEBSolYTxxGU6BFnvxZjXS8TCfZJCOFe6h+R9oxbD/ZH9YqKr+qk9qMalypJ/uB+zm9dWDEYcHFA8IwStdzjgAtvEERay4Gg+UeqKENaCcM8hixTW+uruVqD1kVx7QXcgmG5kNKNLCh1w63OwscHc3lURwvSnPyN4BMsFY/Em5MR/gk7o0f8SBjbG4JGU7nVYo/0ndcg8dVrIVMQ86wNnkwkGEJvvDf0YssieltrZrTO0rBx9idYGUAEzWiv552YCrZvX0I0KLdRkLf2HLtq+j6UQvl+1APrFwe2x6gXK45LsWnzctTqwEijWb3sQgnqbntHiPoId1yDKvCy8W9LRX/V6H+Gpppy4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZETodRunYa7npWr7fCTGmHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4uLx/2I2FutwGo1YPVrQBnPtrxGFEYob8ydE4tq4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFqwNcoBxPInKc+DO5cALafi2Eyg61rLg32xAxKww72ZinpCBFM3vDLNuav1wUZM3QWRkmKCjnb1ifgDX9lmT3f7CydQUtnnLIqlsiw73IGVY3pfjf3fBwceMB8P3BNg39XQ3DC2aZBEuHtLEi+BdBMOZH4HpsOeb/YRZoP4YksV8zuv7OczMv9OXYAh9gzrewdRb9tHf+DbmDW4OIcXpReLdQq9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/2e47ffacd2ccbf3

Targets

    • Target

      2024-12-15_1f1bd29d45c5ab7b60bd03e37e3e2c01_karagany_mafia

    • Size

      250KB

    • MD5

      1f1bd29d45c5ab7b60bd03e37e3e2c01

    • SHA1

      6c36fc36ba6f88dd4dc22b5801a14d61c70f44b4

    • SHA256

      7da47ee5bb9211fa7e07b158c4e9a425a69cbae6bdbcb7200e09593d74d37e37

    • SHA512

      5cc9b9a5e0dfb6f03bdff7828cc637443f54b16c977e8c3998573fa9fdb268a4202d2d87a92371c8ea5fb37b6eae293ae760bf17b3c6f89446a8821ceb1ce522

    • SSDEEP

      3072:7HvXSC+AQalUoA/INvHc7aEBN82RSVRnoxhsI/5muYDAuBauuuuuuMuWauuuuuuw:7D+A0Z/IlbctOR4hsI

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Gandcrab family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (329) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks