MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67d975966ed3704f670160934545d894ad1ebbdbe0ece48f52ac119ec81d9649. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GandCrab


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67d975966ed3704f670160934545d894ad1ebbdbe0ece48f52ac119ec81d9649
SHA3-384 hash: 5b7321eb77fed3047e4595b4aef3704ad65ca9c0fb03d5f40eecaee38df7e68e875b602fca5f9a4024e1ba0a36ba8bea
SHA1 hash: f8d9608491b1a0acc2583e50b43a0deb97aeba20
MD5 hash: a02161ff5287e24686a29b7063731f0e
humanhash: three-tango-purple-lithium
File name:67d975966ed3704f670160934545d894ad1ebbdbe0ece48f52ac119ec81d9649
Download: download sample
Signature GandCrab
Create hunting rule
File size:71'168 bytes
First seen:2022-08-30 18:19:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b11af918234585a966ca8fab046dc6c (1'243 x GandCrab, 1 x Ransomware)
ssdeep 1536:9ZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:hBounVyFHpfMqqDL2/Lkvd
Threatray 212 similar samples on MalwareBazaar
TLSH T1A5636A0EA2E1A193E1F357B9FA757E65446E3D203B289BDB099359852D630F0793B303
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter OSimao
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
gandcrab
Create hunting rule
ID:
1
File name:
67d975966ed3704f670160934545d894ad1ebbdbe0ece48f52ac119ec81d9649
Verdict:
Malicious activity
Analysis date:
2022-08-30 18:20:19 UTC
Tags:
ransomware gandcrab trojan
Link:
https://app.any.run/tasks/dc5f8b5f-bb4a-4e7e-9a0f-c616c53e63fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gandcrab
Create hunting rule
Link:
https://www.capesandbox.com/analysis/302639/
Detection(s):
Win.Ransomware.Gandcrab-6667060-0
Create hunting rule

Win.Ransomware.Gandcrab-6502432-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Changing a file
DNS request
Launching a process
Creating a process with a hidden window
Setting a single autorun event
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30897/overview
Behaviour
MalwareBazaar
EnumerateProcesses
CallSleep
CallCrc32
ComputerProcessor
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe evasive greyware ransomware shell32.dll
Link:
https://www.filescan.io/uploads/630e5569a7450371f68ecf77/reports/08513a28-c75a-4241-a3ad-4d9374581f66/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GandCrab
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b10fd293-8eb3-42c2-afef-52145f4396a3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67d975966ed3704f670160934545d894ad1ebbdbe0ece48f52ac119ec81d9649/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2018-03-21 04:15:30 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
30 of 31 (96.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m7mxlfto2nye6zybmcjukroysswr5o634dwojd2svqiz5sa5szeq._file
Verdict:
malicious
Similar samples:
026ef36e6eb1e55f8cbb858e4777c9148d1e91ee9c0a7f6b3a8d176b5324e811
GandCrab
0e9c843884809ef8dce972748a6d0bd1ee6d03f946fa09f6a8e6e73653534e7e
GandCrab
2d4fed9f16b3c4cece6d0f772cfb23e7b3a88406a704b05a10315a61f7d668e4
GandCrab
567ec9cebc4fda6f06b366df084cf4da1623566c7dc560799bea2f01b7b43569
GandCrab
6db19a32d62294b199a3264982f659b02f64b6171889ebec8656b4f88bf76bf2
GandCrab
76acd6a4c299297d1f00914890f720b8226689766a755e85d50e4b7037a0797f
GandCrab
848f57c8d38c1b7804d068efc7be260a0ea8e96ad5f7de88d2c4af34d20e87ed
GandCrab
906f9aa0eced0c4603c39a8a631823b04e6f5815d78034749c8229e3fe71173c
GandCrab
a6e06a8cddd4876f11a3f9b56ed882f2372ead007be65ba34daf739362f2f99e
GandCrab
d14ab5b9f83238483e1d4d7779828393ea6ce02de0bf0c55b2d306f5ed0d0b35
GandCrab
+ 202 additional samples on MalwareBazaar
Result
Malware family:
gandcrab
Create hunting rule
Score:
  10/10
Tags:
family:gandcrab persistence
Link:
https://tria.ge/reports/220830-wyq4lacgeq/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Enumerates connected drives
Unpacked files
SH256 hash:
67d975966ed3704f670160934545d894ad1ebbdbe0ece48f52ac119ec81d9649
MD5 hash:
a02161ff5287e24686a29b7063731f0e
SHA1 hash:
f8d9608491b1a0acc2583e50b43a0deb97aeba20
Detections:
win_gandcrab_auto
Create hunting rule
Link:
https://www.unpac.me/results/133154dd-41d7-47fb-acc3-afccabe49b6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gandcrab
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/67d975966ed3704f670160934545d894ad1ebbdbe0ece48f52ac119ec81d9649

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Gandcrab
Create hunting rule
Author:kevoreilly
Description:Gandcrab Payload
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_RANSOMWARE_Indicator_Jul20
Create hunting rule
Author:Florian Roth
Description:Detects ransomware indicator
Reference:https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Rule name:SUSP_RANSOMWARE_Indicator_Jul20_RID31A2
Create hunting rule
Author:Florian Roth
Description:Detects ransomware indicator
Reference:https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Rule name:win_gandcrab_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gandcrab.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/302639/

Comments