MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 245ff054da4a6cb23a64b0fa4029e3ce278670fe64061dcae6f81e4c90be4901. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GandCrab


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 245ff054da4a6cb23a64b0fa4029e3ce278670fe64061dcae6f81e4c90be4901
SHA3-384 hash: a3dc32282ddd5d2703d51cd833c468a34a0a69842ab4000b5658e7bfa07402a883bd0e5028d5d91a5fc100f6280b510f
SHA1 hash: 36dcbba1f05ae2bc302ae82c5b85acbb6d0c7fcd
MD5 hash: 17093a2ba053dc45365e87adaf740f0e
humanhash: monkey-friend-nevada-colorado
File name:36dcbba1f05ae2bc302ae82c5b85acbb6d0c7fcd
Download: download sample
Signature GandCrab
Create hunting rule
File size:329'225 bytes
First seen:2022-11-30 09:20:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e85bc8cd0863f7512a06d6eb4c79827 (9 x GandCrab)
ssdeep 6144:FfwD/eHK1rGTAOfrIV/QHxOtJkkgYsGGdzKLK:FfwDz1+q4Hsi+LK
Threatray 2'698 similar samples on MalwareBazaar
TLSH T1A264AE52B083D032D63E19750AE49A7C2A7CBD308BB78B7F77A427750D243536625BA3
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter EstisRemiel
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
gandcrab
Create hunting rule
ID:
1
File name:
36dcbba1f05ae2bc302ae82c5b85acbb6d0c7fcd
Verdict:
Malicious activity
Analysis date:
2022-11-30 09:35:07 UTC
Tags:
trojan ransomware gandcrab
Link:
https://app.any.run/tasks/ff599d13-531a-48a2-b8f3-18f3f503b8d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gandcrab
Create hunting rule
Link:
https://www.capesandbox.com/analysis/339975/
Detection(s):
Win.Ransomware.Generickdz-9781666-0
Create hunting rule

Win.Packed.Generickdz-6726609-0
Create hunting rule

Win.Packed.Gandcrab-6840806-0
Create hunting rule

Win.Packed.Gandcrab-6520432-4
Create hunting rule

Win.Packer.Crypter-6539596-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6387208300c584752ee2b484/reports/6fe77206-b965-4abc-a380-a5f54e9eb1f2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GandCrab
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7066091-302e-422c-b8cb-ef11c30e65ba
Result
Threat name:
GrandCrab, Gandcrab, ReflectiveLoader
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1123807
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to determine the online IP of the system
Detected GrandCrab Ransomware (through HCA data)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gandcrab
Yara detected ReflectiveLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/245ff054da4a6cb23a64b0fa4029e3ce278670fe64061dcae6f81e4c90be4901/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2019-11-05 22:07:37 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
27 of 27 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=erp7avg2jjwleotewd5eakpdzytym4h6mqdb3sxg7apezef6jeaq._file
Verdict:
malicious
Similar samples:
125f75320c80d5b4d73c000058f26e92207d28a3d7d88551041f7a62f2a59e3c
GandCrab
45648cb1078b898c2f49ccdba24a160937b2aa868ab8ad80896f5374e05cc3a1
GandCrab
7e61526d275fcde2370cd9024cb395116a34898234e18e0037b68b7cac3363b7
GandCrab
9535f9f6dcf372a58c7b396586adb22918e77e1de328ca6dc6504779586bd8ce
GandCrab
a185dde52390362b8c0e2539364480b1a4c1c01b7d9f0c133aadc2e77df0bf77
GandCrab
b61439f54bd8f709a9acafadf264cbbdd725cb32e5b185256a809c68a3ea79aa
GandCrab
bf8eb76703eed0bd31be33d82f773aeb8e09588e36a8bdb0c12f96d0f85b4036
GandCrab
c7674316186399d4efd355b2b670f2c203a42513755e7bd1f0a23b7206b42ce3
GandCrab
cfd501952a6325c50ce683e48819e052d541452f2cf37884f653e3c7accfe2f7
GandCrab
e30572c5c1b3c8551a6080ea6757178985465f5c2e1444d31130faddc8dde887
GandCrab
+ 2'688 additional samples on MalwareBazaar
Result
Malware family:
gandcrab
Create hunting rule
Score:
  10/10
Tags:
family:gandcrab backdoor persistence ransomware
Link:
https://tria.ge/reports/221130-lbb12sah7x/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Enumerates connected drives
Unexpected DNS network traffic destination
GandCrab payload
Gandcrab
Gathering data
Unpacked files
SH256 hash:
0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884
MD5 hash:
f79e0245a46effdfcafa8feedd2e6fd1
SHA1 hash:
4dcdc2021fa1578ddcd25660e4135ac39995b769
Detections:
win_gandcrab_auto
Create hunting rule
Link:
https://www.unpac.me/results/fa6f6870-5e47-4fb8-b7d4-ee556325f8b9/
Parent samples :
0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad
fec01ecfbc95ba154b19c1e9bb93edaa4bbed6628380b6670afe130e4b05c58b
0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884
4c80e0aedee19d815c2806220d374d1c0e501528306d6a185393cd1e0795475c
125f75320c80d5b4d73c000058f26e92207d28a3d7d88551041f7a62f2a59e3c
a185dde52390362b8c0e2539364480b1a4c1c01b7d9f0c133aadc2e77df0bf77
9535f9f6dcf372a58c7b396586adb22918e77e1de328ca6dc6504779586bd8ce
bf8eb76703eed0bd31be33d82f773aeb8e09588e36a8bdb0c12f96d0f85b4036
e30572c5c1b3c8551a6080ea6757178985465f5c2e1444d31130faddc8dde887
c7674316186399d4efd355b2b670f2c203a42513755e7bd1f0a23b7206b42ce3
c14ba4f86110122a9c740a1154912942b9825289c648c79d54b6935114e4de17
b61439f54bd8f709a9acafadf264cbbdd725cb32e5b185256a809c68a3ea79aa
7dbf5c226c252325dc0e94eadef321153fa49c2e9e0003233db2fb01154bd35e
45648cb1078b898c2f49ccdba24a160937b2aa868ab8ad80896f5374e05cc3a1
8723ec9a0f117eda5f8fba7c2766082af4301593bbb7dda11420182ca93e5746
0ba313a99df7bc369f20838932426111c7ae431d884599dc134b4821b620a5e1
cfd501952a6325c50ce683e48819e052d541452f2cf37884f653e3c7accfe2f7
245ff054da4a6cb23a64b0fa4029e3ce278670fe64061dcae6f81e4c90be4901
a7c490f7d2aa1c783ceb763f744851927ddfd4c6bc52f1f7d5802fffe6c23add
7e61526d275fcde2370cd9024cb395116a34898234e18e0037b68b7cac3363b7
8d0c3f209c3c8eabfc15ac7b53aea8e7b0e3b8fc93772bb0e9a7abfabdc3043b
6df64a0a921bd65006968d7eb146f7ceb60ffc1345575d39edec0eded41eb4fe
1edc828da884f2b17544ba6609f55bba3c950093528a5e857a23be8ae78fcb36
bc345d907c6fde218bef52b9620066a2631bb8e47078b60363352be45ed196d5
1f3c004c5876f951a7afb57ab606de3407fcb2b830ee1baa3f2ac93c30bb25e4
283a17fe8380d7a844a035d2addc8942f9dd40352e297debf205c4cd880bbcc8
f0707ea68e6eb316e6d1f19fc4a64cf8ecea66473eb71581d748ba769e3cd1a9
589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
SH256 hash:
6c5a6a85c7664d5aae435f9ef143d964bd238b7996bee6ada973d48ed4280123
MD5 hash:
2e5750f2765b72cbcebcf0932149a675
SHA1 hash:
6856d0cb09578f0d878cedfe586352ba0972ae2d
Link:
https://www.unpac.me/results/fa6f6870-5e47-4fb8-b7d4-ee556325f8b9/
Parent samples :
bc345d907c6fde218bef52b9620066a2631bb8e47078b60363352be45ed196d5
1f3c004c5876f951a7afb57ab606de3407fcb2b830ee1baa3f2ac93c30bb25e4
283a17fe8380d7a844a035d2addc8942f9dd40352e297debf205c4cd880bbcc8
f0707ea68e6eb316e6d1f19fc4a64cf8ecea66473eb71581d748ba769e3cd1a9
589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
SH256 hash:
245ff054da4a6cb23a64b0fa4029e3ce278670fe64061dcae6f81e4c90be4901
MD5 hash:
17093a2ba053dc45365e87adaf740f0e
SHA1 hash:
36dcbba1f05ae2bc302ae82c5b85acbb6d0c7fcd
Link:
https://www.unpac.me/results/fa6f6870-5e47-4fb8-b7d4-ee556325f8b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/245ff054da4a6cb23a64b0fa4029e3ce278670fe64061dcae6f81e4c90be4901

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/339975/

Comments