gandcrab | 93f24684cbafd2594ebe7c9ac4d460dbe829450636e99a53f54eeee2b4e59fc0

Analysis

max time kernel
103s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-09_e3233f6145963d01c485886e22ae10c6_amadey_karagany_mafia_rhadamanthys_smoke-loader.exe
Size

247KB
MD5

e3233f6145963d01c485886e22ae10c6
SHA1

7a301b50397ed8fce3bcf702175a01d3db4067a3
SHA256

93f24684cbafd2594ebe7c9ac4d460dbe829450636e99a53f54eeee2b4e59fc0
SHA512

828904bc1f024ee3f2aa2b70e9640f6c59a5e233831fe27d69c6a95d882a94ddc27be3ccbc7a3e56ab5d1e09c1c4ae46c8c22411d58f9f9eba58160d6714af19
SSDEEP

3072:qe/3l1glxNGX0+tl0BNsPmmWpOTgfgDOOK+74ArCjZ/NHkciAHaLiq7:qevEDGk+tOWmTYD/gEY/EcHKiw

Score

10^/10

gandcrab backdoor discovery ransomware

Malware Config

Signatures

GandCrab payload 3 IoCs

resource	yara_rule
behavioral1/memory/3572-3-0x0000000000400000-0x0000000000443000-memory.dmp	family_gandcrab
behavioral1/memory/3572-4-0x00000000005E0000-0x00000000005F7000-memory.dmp	family_gandcrab
behavioral1/memory/3572-9-0x0000000000400000-0x000000000042C000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4544	3572	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-09_e3233f6145963d01c485886e22ae10c6_amadey_karagany_mafia_rhadamanthys_smoke-loader.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-09_e3233f6145963d01c485886e22ae10c6_amadey_karagany_mafia_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-09_e3233f6145963d01c485886e22ae10c6_amadey_karagany_mafia_rhadamanthys_smoke-loader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 476
  2⤵
  - Program crash
  PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3572 -ip 3572
1⤵
PID:5408

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3572-0-0x00000000005A0000-0x00000000005BB000-memory.dmp

Filesize
108KB

Download
memory/3572-1-0x00000000005A0000-0x00000000005BB000-memory.dmp

Filesize
108KB

Download
memory/3572-2-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3572-3-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3572-4-0x00000000005E0000-0x00000000005F7000-memory.dmp

Filesize
92KB

Download
memory/3572-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3572-8-0x00000000005A0000-0x00000000005BB000-memory.dmp

Filesize
108KB

Download