MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c305b71e7b513325ac8aa74f3aafee520de453998bb56223852e0dafcfdd399. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GandCrab

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	1c305b71e7b513325ac8aa74f3aafee520de453998bb56223852e0dafcfdd399
SHA3-384 hash:	e9395152ca6c210de89eb5fdfe68d0a8d9cc73cac72589e3b4214bc5e4cbe5cc0a0a1070a5b47b4ca45eca1fbb9485e9
SHA1 hash:	0572e36645cb38b951f00f2ef39ab63bc254287d
MD5 hash:	730b63142f60bfb6db94e3af61d61b2a
humanhash:	lake-autumn-stream-bulldog
File name:	1c305b71e7b513325ac8aa74f3aafee520de453998bb56223852e0dafcfdd399
Download:	download sample
Signature	GandCrab Create hunting rule
File size:	4'849'901 bytes
First seen:	2022-08-30 19:43:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep	98304:55nKWZ1+ArtaKTevWMRuXNY8BrolEy4GTgz3wMN0NVliL5:5ZtPrtnKlRCCxJN2wK4lK
TLSH	T1B4263303F8E488F1E8672A3A4D19E760B97CBD341E31575E6B40992FCD316D16C29FA2
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	OSimao
Tags:	exe Gandcrab

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1c305b71e7b513325ac8aa74f3aafee520de453998bb56223852e0dafcfdd399

Verdict:

Malicious activity

Analysis date:

2022-08-31 15:47:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2429d917-6f95-4b3d-9b68-e3934c7ff2d1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Gandcrab

Link:

https://www.capesandbox.com/analysis/304416/

Detection(s):

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/630e696b9d41b90af2be4a1f/reports/c199c212-a221-4b84-9a78-55b186114ef0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c305b71e7b513325ac8aa74f3aafee520de453998bb56223852e0dafcfdd399/

Threat name:

Win32.Ransomware.GandCrab

Status:

Malicious

First seen:

2019-11-13 06:45:55 UTC

File Type:

PE (Exe)

Extracted files:

191

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dqyfw4phwujtewwivj2phkx64uqn4rjztc5vmiryklqnv7h52omq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220830-yfw81ahbe3/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

3951ceff122a6eff33a3eebf5aadee242579645032f2bce9c9f6a7c599633209

MD5 hash:

c92d7b07012cd3dc5ea30dd31f6c42fc

SHA1 hash:

9b573938a7c78736d694e7c5410b63674e451f9a

Detections:

win_gandcrab_auto

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

c32db211bcfe230ef1ce40dbd3d24f24acc1dec8cb8e2996114266d01562914f

MD5 hash:

54f8d5a41d92d2a27af04d2bfb93d2b7

SHA1 hash:

f3e01a4e012a5d6de157f9d896c8026e1411d05d

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

ccedf99ef654be30c225a8bd6e2e87f61ebe765bbe03b4f420ac224d17a70ba7

MD5 hash:

efcfaea5e4d8118a099b26ae566a9b49

SHA1 hash:

ed0ecc5ef1dbb728eb647b5d6aea950dce79624c

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

af878afa65434d426938def446c8074cd85f95ff1efa3528e1ed565c7486082f

MD5 hash:

9ccdee17cde90a18900926add320e3e4

SHA1 hash:

e2e87f6d7dca6cc7e698577c24558db124d3cf16

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

f59dc31cdb952c185bb23a7414539760990c5ea4d9820987c714d24a92e27dcc

MD5 hash:

0971dc99cea776f47153d866edad99db

SHA1 hash:

e29474615401a9f36e581808d3c80afcfc5670a2

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

7eb844de89f6285db9c8542c29a3543f3add4103fe8587bd264c0440cc167027

MD5 hash:

e0a37ba7434437932cc511a3f97082e9

SHA1 hash:

dcc4257fca85c0e60e63d76c7665e937907bb9b4

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

74b92537e662c37acb470f65263a04886d645215fdafdd07323400f1d044a418

MD5 hash:

edea35fd156a598e2985e9ea22f4ddfd

SHA1 hash:

92339baf9c534c3b9008c37717708482c97a6999

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

305374df836275f084af71a81dd14510b6f17b91fd2dad28c9015f13123c6819

MD5 hash:

f0746a599eeb0dc95570a1e8033b4706

SHA1 hash:

435104fbb6d9e8fb5c8bc695ce7dc500cf1b6d52

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

cc9847ca19f1ed032574c4f283f717ebe363e119c3a1955b194057476d6c3de3

MD5 hash:

2eb9d2bbdf3c83b352c96562f39e57c6

SHA1 hash:

3030df997991d9b1f549e0faf88e719d05c3c2fa

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

7de1e00e5821a761003831c28fa4dbf051b0e4ec65e7f5c2bc7da47f86c93f64

MD5 hash:

19a3f52c35aa7f7b612f8324c3b4a3b4

SHA1 hash:

0b66341fbdfb1221b5e817add56dbd1d447ff3da

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

608be4e01e7b90be60b6421cbcd68a94b111308a1b9f80a773c849e125189ea9

MD5 hash:

cbf4dde538b5644a8b15404337f5e4f4

SHA1 hash:

f5f424871f7ae3e522c39d1466339d35d8044607

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

SH256 hash:

1c305b71e7b513325ac8aa74f3aafee520de453998bb56223852e0dafcfdd399

MD5 hash:

730b63142f60bfb6db94e3af61d61b2a

SHA1 hash:

0572e36645cb38b951f00f2ef39ab63bc254287d

Link:

https://www.unpac.me/results/d7431639-96e6-4e70-9363-81e723f32409/

Malware family:

GandCrab

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1c305b71e7b5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Gandcrab

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/1c305b71e7b513325ac8aa74f3aafee520de453998bb56223852e0dafcfdd399

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/304416/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample