MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GandCrab

Vendor detections: 11

Intelligence 11 IOCs YARA 8 File information Comments

SHA256 hash:	0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884
SHA3-384 hash:	12791abec31b559d37094bb824629037b5b9a2a8ccdd252801206c40fd9b6428056e7d6810d8e515171318ff5bf451f4
SHA1 hash:	4dcdc2021fa1578ddcd25660e4135ac39995b769
MD5 hash:	f79e0245a46effdfcafa8feedd2e6fd1
humanhash:	oregon-ten-happy-butter
File name:	0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884
Download:	download sample
Signature	GandCrab Create hunting rule
File size:	77'824 bytes
First seen:	2022-08-30 19:16:38 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	1615a1cd5d3909399ee1f2121f6cefbc (13 x GandCrab)
ssdeep	1536:BZZZZZZZZZZZZJOEDlwYSMQsGHxg0TS+XKFMqqU+2bbbAV2/S2TrKyGBUm:zlZHQsozTS+SMqqDL2/TrK
TLSH	T1D5737D2471D276B3F5E269B6E6B47B12445D2D0427943CEBA1E31DF92C120E3AE3CA47
TrID	58.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 12.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.4% (.EXE) Win32 Executable (generic) (4505/5/1) 3.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	OSimao
Tags:	dll

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Gandcrab

Link:

https://www.capesandbox.com/analysis/303508/

Detection(s):

Win.Ransomware.Gandcrab-6667060-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe evasive greyware ransomware shell32.dll

Link:

https://www.filescan.io/uploads/630e6387a7450371f68eea20/reports/3642949d-8cd1-41ad-a67c-ac3080348470/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

GandCrab

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b81b6c66-e06d-404d-bc23-91dfb4078064

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884/

Threat name:

Win32.Ransomware.GandCrab

Status:

Malicious

First seen:

2018-07-18 11:39:45 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

27 of 30 (90.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aqspo5fydxvewgazbo4xfuowdtov7q6dfv632nsu7g5rjjhh3cca._file

Result

Malware family:

gandcrab

Score:

10/10

Tags:

family:gandcrab persistence

Link:

https://tria.ge/reports/220830-xzfjxsgcd5/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Unpacked files

SH256 hash:

0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884

MD5 hash:

f79e0245a46effdfcafa8feedd2e6fd1

SHA1 hash:

4dcdc2021fa1578ddcd25660e4135ac39995b769

Detections:

win_gandcrab_auto

Link:

https://www.unpac.me/results/ce29ea29-26d8-402c-94f2-f3b239825c4e/

Parent samples :

0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad
fec01ecfbc95ba154b19c1e9bb93edaa4bbed6628380b6670afe130e4b05c58b
0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884
4c80e0aedee19d815c2806220d374d1c0e501528306d6a185393cd1e0795475c
125f75320c80d5b4d73c000058f26e92207d28a3d7d88551041f7a62f2a59e3c
a185dde52390362b8c0e2539364480b1a4c1c01b7d9f0c133aadc2e77df0bf77
9535f9f6dcf372a58c7b396586adb22918e77e1de328ca6dc6504779586bd8ce
bf8eb76703eed0bd31be33d82f773aeb8e09588e36a8bdb0c12f96d0f85b4036
e30572c5c1b3c8551a6080ea6757178985465f5c2e1444d31130faddc8dde887
c7674316186399d4efd355b2b670f2c203a42513755e7bd1f0a23b7206b42ce3
c14ba4f86110122a9c740a1154912942b9825289c648c79d54b6935114e4de17
b61439f54bd8f709a9acafadf264cbbdd725cb32e5b185256a809c68a3ea79aa
7dbf5c226c252325dc0e94eadef321153fa49c2e9e0003233db2fb01154bd35e
45648cb1078b898c2f49ccdba24a160937b2aa868ab8ad80896f5374e05cc3a1
8723ec9a0f117eda5f8fba7c2766082af4301593bbb7dda11420182ca93e5746
0ba313a99df7bc369f20838932426111c7ae431d884599dc134b4821b620a5e1
cfd501952a6325c50ce683e48819e052d541452f2cf37884f653e3c7accfe2f7
245ff054da4a6cb23a64b0fa4029e3ce278670fe64061dcae6f81e4c90be4901
a7c490f7d2aa1c783ceb763f744851927ddfd4c6bc52f1f7d5802fffe6c23add
7e61526d275fcde2370cd9024cb395116a34898234e18e0037b68b7cac3363b7
8d0c3f209c3c8eabfc15ac7b53aea8e7b0e3b8fc93772bb0e9a7abfabdc3043b
6df64a0a921bd65006968d7eb146f7ceb60ffc1345575d39edec0eded41eb4fe
1edc828da884f2b17544ba6609f55bba3c950093528a5e857a23be8ae78fcb36
bc345d907c6fde218bef52b9620066a2631bb8e47078b60363352be45ed196d5
1f3c004c5876f951a7afb57ab606de3407fcb2b830ee1baa3f2ac93c30bb25e4
283a17fe8380d7a844a035d2addc8942f9dd40352e297debf205c4cd880bbcc8
f0707ea68e6eb316e6d1f19fc4a64cf8ecea66473eb71581d748ba769e3cd1a9
589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Gandcrab Create hunting rule
Author:	kevoreilly
Description:	Gandcrab Payload

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	detects Reflective DLL injection artifacts

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	SUSP_RANSOMWARE_Indicator_Jul20 Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware indicator
Reference:	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

Rule name:	SUSP_RANSOMWARE_Indicator_Jul20_RID31A2 Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware indicator
Reference:	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

Rule name:	Win32_Ransomware_GandCrab Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects GandCrab ransomware.

Rule name:	win_gandcrab_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.gandcrab.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/303508/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample