MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fe3d820ef565e3613e4f1e2c837e5462f3e5a455ef0d17cbec87a6d58d0f89f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GandCrab

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	7fe3d820ef565e3613e4f1e2c837e5462f3e5a455ef0d17cbec87a6d58d0f89f
SHA3-384 hash:	3fb501934124ade138c620316ea4f079cbb587b2552321f550d4ed307cc6e55a7e81c682067ec313ff5647f6aabf312d
SHA1 hash:	04eec2040f4ff0158b38dbe40afb5dedc10c4fe8
MD5 hash:	7e92288cc35c2bf0da35fcb74978bd58
humanhash:	quebec-red-august-missouri
File name:	7fe3d820ef565e3613e4f1e2c837e5462f3e5a455ef0d17cbec87a6d58d0f89f
Download:	download sample
Signature	GandCrab Create hunting rule
File size:	981'421 bytes
First seen:	2022-08-30 21:58:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep	24576:ANA3R5drXPrfVLqw8tv7TTOGDXstOzC43PZ8NIw3BhY:55jVLQfTOGDXsUnh0Iw3c
TLSH	T100250202BBC288B2E673193608396B2064BC7D201E31DE5FB3D46D6DDE35191A635BB7
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	OSimao
Tags:	exe Gandcrab

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Gandcrab

Link:

https://www.capesandbox.com/analysis/305851/

Detection(s):

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/630e88c22fdf5a082593d201/reports/4f13bd5e-c5d2-4d6e-819c-4badaf35c1d6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

GandCrab

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d3a78bc-351c-4096-9288-6afaae2df046

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fe3d820ef565e3613e4f1e2c837e5462f3e5a455ef0d17cbec87a6d58d0f89f/

Threat name:

Win32.Ransomware.GandCrab

Status:

Malicious

First seen:

2019-11-12 02:21:53 UTC

File Type:

PE (Exe)

Extracted files:

126

AV detection:

29 of 41 (70.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p7r5qihpkzpdme7e6hrmqn7fiyxt4wsfl3ync7f6zb5g2wgq7cpq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220830-1v5j2adad4/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

NSIS installer

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

a26cbffb30b526b769797ad6800c16621c776945f840fdd7a863d68106ee8204

MD5 hash:

78b326cdb6f6ec96fa8a69472359c39c

SHA1 hash:

d47ec25ff09f46a465c8c0b9907f004b7488d4e9

Link:

https://www.unpac.me/results/0af94d36-7cc7-4485-9215-55ff78dbff23/

SH256 hash:

75e20f4c5eb00e9e5cb610273023e9d2c36392fa3b664c264b736c7cc2d1ac84

MD5 hash:

4c7d97d0786ff08b20d0e8315b5fc3cb

SHA1 hash:

bb6f475e867b2bf55e4cd214bd4ef68e26d70f6c

Link:

https://www.unpac.me/results/0af94d36-7cc7-4485-9215-55ff78dbff23/

SH256 hash:

8e4973b3afce52eb9f9c007934bae904dda840f5c978da671990954b90efb269

MD5 hash:

9a8e27de62e7b6dae766735a3a028170

SHA1 hash:

61018c5fc8a71b4e28e739023534a7adf106f5b5

Link:

https://www.unpac.me/results/0af94d36-7cc7-4485-9215-55ff78dbff23/

SH256 hash:

297e15b7b7f5e28650a84a9342f5cf8c70cc7fdbe5382884236c573bd4540183

MD5 hash:

89dfa72c390e9e1f40954828b3f0287d

SHA1 hash:

51bbddb03a5b814240394491239051955f5f77b5

Detections:

win_gandcrab_auto

Link:

https://www.unpac.me/results/0af94d36-7cc7-4485-9215-55ff78dbff23/

Parent samples :

0233c5df0dc88fcb205db8746bf91603fc5cbdd7b56ecdd323140a5b30904f01
7fe3d820ef565e3613e4f1e2c837e5462f3e5a455ef0d17cbec87a6d58d0f89f

SH256 hash:

9df92d686c367b1b09e0d9c64df8189042a20d89089776430d4cb70ef9f4390f

MD5 hash:

46648fcf1dc83fdbabf98f92e3e62a22

SHA1 hash:

370420066e36eefb76d60fded7a690c2fe22cda9

Link:

https://www.unpac.me/results/0af94d36-7cc7-4485-9215-55ff78dbff23/

SH256 hash:

7fe3d820ef565e3613e4f1e2c837e5462f3e5a455ef0d17cbec87a6d58d0f89f

MD5 hash:

7e92288cc35c2bf0da35fcb74978bd58

SHA1 hash:

04eec2040f4ff0158b38dbe40afb5dedc10c4fe8

Link:

https://www.unpac.me/results/0af94d36-7cc7-4485-9215-55ff78dbff23/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	sfx_pdb_winrar_restrict Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/305851/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample