MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0233c5df0dc88fcb205db8746bf91603fc5cbdd7b56ecdd323140a5b30904f01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GandCrab

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	0233c5df0dc88fcb205db8746bf91603fc5cbdd7b56ecdd323140a5b30904f01
SHA3-384 hash:	b77f5e565071941620967f534ae5a88196f44cb5c207c555e33b266b4b0f41516bfafee6c44a95882b208b118275c15d
SHA1 hash:	7e8e37091a49743d2c36ecad503ef101ab80a04d
MD5 hash:	7ee993f4c19b8238f7557fc2143ffca3
humanhash:	oxygen-early-avocado-mexico
File name:	0233c5df0dc88fcb205db8746bf91603fc5cbdd7b56ecdd323140a5b30904f01
Download:	download sample
Signature	GandCrab Create hunting rule
File size:	2'702'180 bytes
First seen:	2022-08-30 21:54:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep	49152:55jnHwSChH52xOgH4eUVXUgS8oK8Lv0BCfo8XI9VEh54tN6px/Ev4A:55bHeF52x5TAS8oKA0kf7X8ahANAy
Threatray	2'274 similar samples on MalwareBazaar
TLSH	T1A3C52342FEEA45F3F66B293B142E9B31607C7C211F38CEAEA394594CC930492A755763
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	OSimao
Tags:	exe Gandcrab

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Gandcrab

Link:

https://www.capesandbox.com/analysis/305543/

Detection(s):

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/630e88583e9e50b1baee1451/reports/2cb62b9a-82a7-45ee-a7d8-f70e24d2e1cf/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

GandCrab

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3ceb14af-dc30-41b1-b62a-c4419af94bcf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0233c5df0dc88fcb205db8746bf91603fc5cbdd7b56ecdd323140a5b30904f01/

Threat name:

Win32.Ransomware.GandCrab

Status:

Malicious

First seen:

2019-11-12 13:31:50 UTC

File Type:

PE (Exe)

Extracted files:

445

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aiz4lxynzch4wic5xb2gx6iwap6fzpoxwvxm3uzdcqffwmeqj4aq._file

Verdict:

malicious

GandCrab

27adfa5b80841fadf8e153b031d6a3282e57fb6d669ffdd1bd764bf4ff637297

GandCrab

47dc038c18879bff0a364878d3b937acccf81aae2ad4578bf020a718ddb12bdb

GandCrab

9d77a0a0ce8b82cd2b3c562d12c74080b84d1dc1fa1fd27de9226cf815dc8ebd

GandCrab

beebc085827c88e70b57afd60c4de489bc7ca9e6457447c50e8f33b568a61aca

GandCrab

c59050f75b9cd7285e7834f4513a6975b2877762101c57de1b4085c273b263ea

GandCrab

db8aafb97b71aed231d4f8bc257aed839fc7c631177dd9a287cab5edb22125b0

GandCrab

e6ca770cfac09eb82f37ec4aa6fc580b203b01fc3c7060045978bf1dffb0fd8f

GandCrab

ea0311d084a9f7ec5b6a2f377877f19cd66b076a8e8d8d02c5e3b44d0b846464

GandCrab

f9c0b7c51094b1fbefdc98565d0ec7ecae8149a6aa72850837317417c56138f6

GandCrab

+ 2'264 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220830-1sbtyachd2/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

2ec34874e2f6c737bb428135170fd43da9c0510dadcb7943fdf4f12abd1489f9

MD5 hash:

98f838a8ce0ae2ca1abccb62cbb7a8fe

SHA1 hash:

e5873dc5fbdf1b90f5170656b4de7fb216ca456b

Link:

https://www.unpac.me/results/0b6f6f13-a07f-4f8f-b77d-45c7a55b393d/

SH256 hash:

297e15b7b7f5e28650a84a9342f5cf8c70cc7fdbe5382884236c573bd4540183

MD5 hash:

89dfa72c390e9e1f40954828b3f0287d

SHA1 hash:

51bbddb03a5b814240394491239051955f5f77b5

Detections:

win_gandcrab_auto

Link:

https://www.unpac.me/results/0b6f6f13-a07f-4f8f-b77d-45c7a55b393d/

Parent samples :

0233c5df0dc88fcb205db8746bf91603fc5cbdd7b56ecdd323140a5b30904f01
7fe3d820ef565e3613e4f1e2c837e5462f3e5a455ef0d17cbec87a6d58d0f89f

SH256 hash:

0233c5df0dc88fcb205db8746bf91603fc5cbdd7b56ecdd323140a5b30904f01

MD5 hash:

7ee993f4c19b8238f7557fc2143ffca3

SHA1 hash:

7e8e37091a49743d2c36ecad503ef101ab80a04d

Link:

https://www.unpac.me/results/0b6f6f13-a07f-4f8f-b77d-45c7a55b393d/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	sfx_pdb_winrar_restrict Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/305543/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample