MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 98b468e708f22b86af58c0b3157bef6a94e15505170668e4046817edaca31e70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
GandCrab
Vendor detections: 8
| SHA256 hash: | 98b468e708f22b86af58c0b3157bef6a94e15505170668e4046817edaca31e70 |
|---|---|
| SHA3-384 hash: | 6b400e12be377c1b709f4ae05fb47cf1d5351548ebdf74b61b4a3637526bd22c0c6cd18a7dd5fe63a11f0ed62cf4d6f5 |
| SHA1 hash: | 30a875fccdaaea2008c622e062a5e5621ccaf1b7 |
| MD5 hash: | b4aa5b1b80f8c194dc7a774d0ef34803 |
| humanhash: | white-kansas-red-winter |
| File name: | 98b468e708f22b86af58c0b3157bef6a94e15505170668e4046817edaca31e70 |
| Download: | download sample |
| Signature | GandCrab |
| File size: | 6'748'144 bytes |
| First seen: | 2022-08-30 21:13:30 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla) |
| ssdeep | 98304:55AMpPaGKFjrINbo0ySv3WToPE+jYR8suDSHT8uVq8u5PVeTQSe5044G:5LpPa9FAK0yoJs+IFuDSz/Vije8Fi44G |
| TLSH | T114663361E7D585B3D4B35970565CCA29297CBA702E65EB6FF3E45E0ECA21080E221F33 |
| TrID | 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne) |
| Reporter |  OSimao |
| Tags: | exe Gandcrab |
Intelligence
File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Gandcrab
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Ransomware.GandCrab
Status:
Malicious
First seen:
2019-11-13 00:15:02 UTC
File Type:
PE (Exe)
Extracted files:
3184
AV detection:
28 of 41 (68.29%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
n/a
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
ea91a0f9190eb05c2a5ef4e861808d676342809c9625d5bc4a3368f4822a7f80
MD5 hash:
8f1a2804f1239a6b9cabfa57bac7633c
SHA1 hash:
cee4b46cf2c6de94b601788f83a8b1ecff239ffb
SH256 hash:
696dd5a1e8021a7624e5d7f4218c4a8ba93863549bc816a4fb3b4f24982c16ae
MD5 hash:
0c584d25677d7e78fd921d24d9a803e9
SHA1 hash:
46a0d5d98ea923987b1b14366bd44e4b32e45c65
SH256 hash:
465108c5108ad5accd6ba3392134ead297652ede6bfb2a1886b69d03ee60806a
MD5 hash:
98f141361157ae4b2283d45132edd71b
SHA1 hash:
b444e22e503c02dc15cb27319ebb34aeac3dff09
SH256 hash:
6d12463945f8e5471fbc06e85b6f5459b1c8e5eec15d5a8fbaab446611ac1916
MD5 hash:
5f281f76b601098631d66fe7b4e02ecc
SHA1 hash:
74da91e615c74e408504ffb41b0281a9e14c9322
SH256 hash:
bf3d0ed3bd5b622ca9cb33963d36aef9dc98c1709744f10126e0a8d21a230c90
MD5 hash:
eb640b542fdd0bbe152e8060e39e7bfb
SHA1 hash:
5ffe80ceb67de5396edb22eb6a636f03d34f18c3
SH256 hash:
817f0e262c72343cca13050f89e32e438f76f191d24f13cd9121a8541adf88b1
MD5 hash:
0af02ab0326249384bd96515d3869dfc
SHA1 hash:
2a81e6370e6ba6ffef501a33a5870dec2204dde1
SH256 hash:
8d6d89b02c5a1afc93e6bb4d9846da5a0f693208ba8452eb41d0657872bffa32
MD5 hash:
ba294b0fc0be2035479846791b67f357
SHA1 hash:
f141eb1c4f77dfaad6dabb3618df725222f233dc
SH256 hash:
afecad8d9be5b025ba9ba483a1d92e1eb1dc2b65a1632d785d38e43799b202dd
MD5 hash:
bd8f4375271918406901166483047bf8
SHA1 hash:
c9c5d986ada38752c6ac79cb674557d2cd4d1532
SH256 hash:
96e253cbe814c24931ddc3fca09e58e74f2a2be66d3c14c472ab875ff4ac52a7
MD5 hash:
68eb081ba3cbc734a872c962a9c60988
SHA1 hash:
5c67678c7df90043981a1e9fdf7757d0fca6e2de
SH256 hash:
98b468e708f22b86af58c0b3157bef6a94e15505170668e4046817edaca31e70
MD5 hash:
b4aa5b1b80f8c194dc7a774d0ef34803
SHA1 hash:
30a875fccdaaea2008c622e062a5e5621ccaf1b7
Malware family:
GandCrab
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | adonunix2 |
|---|---|
| Author: | Tim Brown @timb_machine |
| Description: | AD on UNIX |
| Rule name: | pdb_YARAify |
|---|---|
| Author: | @wowabiy314 |
| Description: | PDB |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.