MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GandCrab


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad
SHA3-384 hash: 737058d8dec34c3835c8e4ee80eabd22332d85e55d32f1e5738e2e1de1e35812324d464be61b07bb65603e358ea184fb
SHA1 hash: e0c4095c71475036bd79f8bb926fcb575d446d36
MD5 hash: b4fc1596157eb7b7900dd1da72c301c4
humanhash: west-video-red-spring
File name:tracking_number.pdf(2).exe
Download: download sample
Signature GandCrab
Create hunting rule
File size:219'661 bytes
First seen:2021-05-07 04:52:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1ed536789620e443598b625f8d0ae7c (2 x GandCrab)
ssdeep 3072:ePI88gNJMXBNO2gwvT+qaRER85N/0N9eaoRSh+KpVmytJKF7Gb:yI8FNmBJrxR85N/0N9eao+UCJsM
Threatray 180 similar samples on MalwareBazaar
TLSH BF24E013B2D4A871D5270B758D2989807E2DB5400778539F37AB2AAB9F702F08A7735F
Reporter starsSk87264403
Tags:Gandcrab

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
tracking_number.pdf.exe
Verdict:
Malicious activity
Analysis date:
2020-01-23 21:49:33 UTC
Tags:
trojan ransomware gandcrab
Link:
https://app.any.run/tasks/e56f516b-e6e8-40d7-83d4-fee17934566c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gandcrab
Create hunting rule
Link:
https://www.capesandbox.com/analysis/152395/
Detection(s):
Win.Ransomware.Gandcrab-6986826-0
Create hunting rule

Win.Ransomware.Gandcrab-6986828-0
Create hunting rule

Win.Packer.Crypter-6539596-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GrandCrab Gandcrab ReflectiveLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/715516
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to determine the online IP of the system
Detected GrandCrab Ransomware (through HCA data)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found Tor onion address
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses nslookup.exe to query domains
Yara detected Gandcrab
Yara detected ReflectiveLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 406690 Sample: tracking_number.pdf(2).exe Startdate: 07/05/2021 Architecture: WINDOWS Score: 100 35 ransomware.bit 2->35 37 ns2.wowservers.ru 2->37 39 3 other IPs or domains 2->39 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 6 other signatures 2->63 8 tracking_number.pdf(2).exe 18 2->8         started        signatures3 process4 dnsIp5 41 ipv4bot.whatismyipaddress.com 66.171.248.178, 49737, 80 ALCHEMYNETUS United States 8->41 65 Detected unpacking (changes PE section rights) 8->65 67 Detected unpacking (overwrites its own PE header) 8->67 69 Detected GrandCrab Ransomware (through HCA data) 8->69 71 3 other signatures 8->71 12 nslookup.exe 1 8->12         started        15 nslookup.exe 1 8->15         started        17 nslookup.exe 1 8->17         started        19 12 other processes 8->19 signatures6 process7 dnsIp8 49 3 other IPs or domains 12->49 21 conhost.exe 12->21         started        43 ransomware.bit 15->43 51 2 other IPs or domains 15->51 23 conhost.exe 15->23         started        53 3 other IPs or domains 17->53 25 conhost.exe 17->25         started        45 ransomware.bit 19->45 47 ransomware.bit 19->47 55 36 other IPs or domains 19->55 27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        33 8 other processes 19->33 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2018-06-20 10:38:52 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
044e1fb5fc6ecd58ea3ad131054c27c448312974086e205241768b61f165db3c
GandCrab
06dcc85fb193c1f6b649359debd55346499a50b72bf475f50172633d64cf1f53
GandCrab
08ef36cec235b20cd791cfa4c8a49af3060d0f480c6fa6b0d91bd420b9b6f597
GandCrab
2d5e78d630a68f6d235c6bd845432bba8a213e2b03a3b79b0cd9b6273b0c284c
GandCrab
6e00d7416b36a3a45fd6e64d9dfc2b217a426fb22109003b2ada6782989b73f4
GandCrab
84acc2460064e9c30208185cb7db162cd05bf5caa091c5586ffc9a479ee5f884
GandCrab
9316d6daaf6e34ab8a0cb9900a9e6d2d24a417e41c67335b0333590182909324
GandCrab
c304a479235303c0725cf36845313692e5d9a2d9f7db7e77de3c0d75229c5e0f
GandCrab
c8e3cf9cd054a388848d36f1dcf9c9e6efa070d973d9d009e2572ad573477c0b
GandCrab
e6d2806dc3d2fa9663130b70eb62946e5d504635a91a42324bcaa8e9762754f0
GandCrab
+ 170 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210507-zww6mpwble/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Enumerates connected drives
Unpacked files
SH256 hash:
0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884
MD5 hash:
f79e0245a46effdfcafa8feedd2e6fd1
SHA1 hash:
4dcdc2021fa1578ddcd25660e4135ac39995b769
Detections:
win_gandcrab_auto
Create hunting rule
Link:
https://www.unpac.me/results/56ef19cc-052e-46ad-bda1-a6eb7aacc806/
Parent samples :
0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad
fec01ecfbc95ba154b19c1e9bb93edaa4bbed6628380b6670afe130e4b05c58b
0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884
4c80e0aedee19d815c2806220d374d1c0e501528306d6a185393cd1e0795475c
125f75320c80d5b4d73c000058f26e92207d28a3d7d88551041f7a62f2a59e3c
a185dde52390362b8c0e2539364480b1a4c1c01b7d9f0c133aadc2e77df0bf77
9535f9f6dcf372a58c7b396586adb22918e77e1de328ca6dc6504779586bd8ce
bf8eb76703eed0bd31be33d82f773aeb8e09588e36a8bdb0c12f96d0f85b4036
e30572c5c1b3c8551a6080ea6757178985465f5c2e1444d31130faddc8dde887
c7674316186399d4efd355b2b670f2c203a42513755e7bd1f0a23b7206b42ce3
c14ba4f86110122a9c740a1154912942b9825289c648c79d54b6935114e4de17
b61439f54bd8f709a9acafadf264cbbdd725cb32e5b185256a809c68a3ea79aa
7dbf5c226c252325dc0e94eadef321153fa49c2e9e0003233db2fb01154bd35e
45648cb1078b898c2f49ccdba24a160937b2aa868ab8ad80896f5374e05cc3a1
8723ec9a0f117eda5f8fba7c2766082af4301593bbb7dda11420182ca93e5746
0ba313a99df7bc369f20838932426111c7ae431d884599dc134b4821b620a5e1
cfd501952a6325c50ce683e48819e052d541452f2cf37884f653e3c7accfe2f7
245ff054da4a6cb23a64b0fa4029e3ce278670fe64061dcae6f81e4c90be4901
a7c490f7d2aa1c783ceb763f744851927ddfd4c6bc52f1f7d5802fffe6c23add
7e61526d275fcde2370cd9024cb395116a34898234e18e0037b68b7cac3363b7
8d0c3f209c3c8eabfc15ac7b53aea8e7b0e3b8fc93772bb0e9a7abfabdc3043b
6df64a0a921bd65006968d7eb146f7ceb60ffc1345575d39edec0eded41eb4fe
1edc828da884f2b17544ba6609f55bba3c950093528a5e857a23be8ae78fcb36
bc345d907c6fde218bef52b9620066a2631bb8e47078b60363352be45ed196d5
1f3c004c5876f951a7afb57ab606de3407fcb2b830ee1baa3f2ac93c30bb25e4
283a17fe8380d7a844a035d2addc8942f9dd40352e297debf205c4cd880bbcc8
f0707ea68e6eb316e6d1f19fc4a64cf8ecea66473eb71581d748ba769e3cd1a9
589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
SH256 hash:
6c5a6a85c7664d5aae435f9ef143d964bd238b7996bee6ada973d48ed4280123
MD5 hash:
2e5750f2765b72cbcebcf0932149a675
SHA1 hash:
6856d0cb09578f0d878cedfe586352ba0972ae2d
Link:
https://www.unpac.me/results/56ef19cc-052e-46ad-bda1-a6eb7aacc806/
Parent samples :
bc345d907c6fde218bef52b9620066a2631bb8e47078b60363352be45ed196d5
1f3c004c5876f951a7afb57ab606de3407fcb2b830ee1baa3f2ac93c30bb25e4
283a17fe8380d7a844a035d2addc8942f9dd40352e297debf205c4cd880bbcc8
f0707ea68e6eb316e6d1f19fc4a64cf8ecea66473eb71581d748ba769e3cd1a9
589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
SH256 hash:
0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad
MD5 hash:
b4fc1596157eb7b7900dd1da72c301c4
SHA1 hash:
e0c4095c71475036bd79f8bb926fcb575d446d36
Link:
https://www.unpac.me/results/56ef19cc-052e-46ad-bda1-a6eb7aacc806/
Malware family:
GandCrab
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0452a7ada10b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GandCrab

Executable exe 0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/152395/
  
URLhaus
https://urlhaus.abuse.ch/url/21331/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/20852/
  
URLhaus
https://urlhaus.abuse.ch/url/21869/
  
URLhaus
https://urlhaus.abuse.ch/url/26758/
  
URLhaus
https://urlhaus.abuse.ch/url/26759/
  
URLhaus
https://urlhaus.abuse.ch/url/26760/
  
URLhaus
https://urlhaus.abuse.ch/url/26761/
  
URLhaus
https://urlhaus.abuse.ch/url/26762/
  
URLhaus
https://urlhaus.abuse.ch/url/26763/
  
URLhaus
https://urlhaus.abuse.ch/url/26764/
  
URLhaus
https://urlhaus.abuse.ch/url/26765/
  
URLhaus
https://urlhaus.abuse.ch/url/26766/
  
URLhaus
https://urlhaus.abuse.ch/url/26767/
  
URLhaus
https://urlhaus.abuse.ch/url/26768/
  
URLhaus
https://urlhaus.abuse.ch/url/26769/
  
URLhaus
https://urlhaus.abuse.ch/url/26770/
  
URLhaus
https://urlhaus.abuse.ch/url/26771/
  
URLhaus
https://urlhaus.abuse.ch/url/26772/
  
URLhaus
https://urlhaus.abuse.ch/url/26773/
  
URLhaus
https://urlhaus.abuse.ch/url/26774/
  
URLhaus
https://urlhaus.abuse.ch/url/26775/
  
URLhaus
https://urlhaus.abuse.ch/url/26776/
  
URLhaus
https://urlhaus.abuse.ch/url/26777/
  
URLhaus
https://urlhaus.abuse.ch/url/26779/
  
URLhaus
https://urlhaus.abuse.ch/url/26780/
  
URLhaus
https://urlhaus.abuse.ch/url/26781/
  
URLhaus
https://urlhaus.abuse.ch/url/26782/
  
URLhaus
https://urlhaus.abuse.ch/url/26784/
  
URLhaus
https://urlhaus.abuse.ch/url/111104/
  
URLhaus
https://urlhaus.abuse.ch/url/178391/
  
URLhaus
https://urlhaus.abuse.ch/url/185110/
  
URLhaus
https://urlhaus.abuse.ch/url/227365/
  
URLhaus
https://urlhaus.abuse.ch/url/293609/
  
URLhaus
https://urlhaus.abuse.ch/url/434187/
  
URLhaus
https://urlhaus.abuse.ch/url/444732/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-07 04:59:48 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
1) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
2) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0052] File System Micro-objective::Writes File
5) [C0007] Memory Micro-objective::Allocate Memory
6) [C0040] Process Micro-objective::Allocate Thread Local Storage
7) [C0041] Process Micro-objective::Set Thread Local Storage Value
8) [C0018] Process Micro-objective::Terminate Process