MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 906210fcd207bfc56d7529dd72fe88c191988075dba614e89ed7b4ad259e74dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GandCrab


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 906210fcd207bfc56d7529dd72fe88c191988075dba614e89ed7b4ad259e74dc
SHA3-384 hash: 8ee3191605f762fcf39ef26bc977083dacfa7cdfe93e4fd7547576f7abc4e7a0bf993c37e43a1c1544eedd6aba2b215b
SHA1 hash: ac6770d5828f060557f5cfcc1241a87e93ef0686
MD5 hash: b8539865cf1d29ea82b007c70942cd46
humanhash: pluto-cold-louisiana-fifteen
File name:906210fcd207bfc56d7529dd72fe88c191988075dba614e89ed7b4ad259e74dc
Download: download sample
Signature GandCrab
Create hunting rule
File size:71'168 bytes
First seen:2022-08-30 18:22:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b11af918234585a966ca8fab046dc6c (1'243 x GandCrab, 1 x Ransomware)
ssdeep 1536:/ZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:XBounVyFHpfMqqDL2/Lkvd
Threatray 238 similar samples on MalwareBazaar
TLSH T193636A0EA2E1A193E1F357B9FA757E65446E3D203B289BDB099359852D630F0793B303
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter OSimao
Tags:exe Gandcrab

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
gandcrab
Create hunting rule
ID:
1
File name:
906210fcd207bfc56d7529dd72fe88c191988075dba614e89ed7b4ad259e74dc
Verdict:
Malicious activity
Analysis date:
2022-08-30 18:28:44 UTC
Tags:
ransomware gandcrab trojan
Link:
https://app.any.run/tasks/ffbfeb9a-453e-4b39-8e64-f78f87cba273

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gandcrab
Create hunting rule
Link:
https://www.capesandbox.com/analysis/302643/
Detection(s):
Win.Ransomware.Gandcrab-6667060-0
Create hunting rule

Win.Ransomware.Gandcrab-6502432-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Changing a file
DNS request
Launching a process
Creating a process with a hidden window
Setting a single autorun event
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30900/overview
Behaviour
MalwareBazaar
EnumerateProcesses
CallSleep
ComputerProcessor
CallCrc32
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe evasive greyware ransomware shell32.dll
Link:
https://www.filescan.io/uploads/630e5634e87b88e71be5fa13/reports/78c3ce46-e844-47ed-ad5f-6928578de16e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GandCrab
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b92afd4-9734-4e89-853f-10d298a8809d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/906210fcd207bfc56d7529dd72fe88c191988075dba614e89ed7b4ad259e74dc/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2018-03-12 01:33:50 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbrbb7gsa674k3lvfhoxf7uiygizradv3otbj2e6262k2jm6otoa._file
Verdict:
malicious
Similar samples:
67d975966ed3704f670160934545d894ad1ebbdbe0ece48f52ac119ec81d9649
GandCrab
6d6a6e10aec51e3e4ab20a85815a84e0bbc76b5c67df4b01ab004bbfbd5f2116
GandCrab
76acd6a4c299297d1f00914890f720b8226689766a755e85d50e4b7037a0797f
GandCrab
7992081c7b0dcf18b2c8a8db93f64e9590ff53c04ee0d058b3a729e318d26ba8
GandCrab
848f57c8d38c1b7804d068efc7be260a0ea8e96ad5f7de88d2c4af34d20e87ed
GandCrab
a6e06a8cddd4876f11a3f9b56ed882f2372ead007be65ba34daf739362f2f99e
GandCrab
c4add404c2f3679af99f3b4a508c87d1a4e320841e4119e390baa84aa6958a23
GandCrab
c9a26f39122d6db38950f2999e1004e844a8e369c7b2b140c4c8d5eff99200d6
GandCrab
cf4c710231041c8b4be37929d084516aa94e6eff7de3c2820ff339cd05a30ab8
GandCrab
d7f394d27ec43770694183601edec9fadd4b551ba13b3c61df18d43e8c680b1a
GandCrab
+ 228 additional samples on MalwareBazaar
Result
Malware family:
gandcrab
Create hunting rule
Score:
  10/10
Tags:
family:gandcrab persistence
Link:
https://tria.ge/reports/220830-w1f2eaede9/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Enumerates connected drives
Unpacked files
SH256 hash:
906210fcd207bfc56d7529dd72fe88c191988075dba614e89ed7b4ad259e74dc
MD5 hash:
b8539865cf1d29ea82b007c70942cd46
SHA1 hash:
ac6770d5828f060557f5cfcc1241a87e93ef0686
Detections:
win_gandcrab_auto
Create hunting rule
Link:
https://www.unpac.me/results/03a4e335-6946-43d2-9ff1-e35293e1b4d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gandcrab
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/906210fcd207bfc56d7529dd72fe88c191988075dba614e89ed7b4ad259e74dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Gandcrab
Create hunting rule
Author:kevoreilly
Description:Gandcrab Payload
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_RANSOMWARE_Indicator_Jul20
Create hunting rule
Author:Florian Roth
Description:Detects ransomware indicator
Reference:https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Rule name:SUSP_RANSOMWARE_Indicator_Jul20_RID31A2
Create hunting rule
Author:Florian Roth
Description:Detects ransomware indicator
Reference:https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Rule name:win_gandcrab_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gandcrab.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/302643/

Comments