MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b61439f54bd8f709a9acafadf264cbbdd725cb32e5b185256a809c68a3ea79aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GandCrab


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b61439f54bd8f709a9acafadf264cbbdd725cb32e5b185256a809c68a3ea79aa
SHA3-384 hash: d909a8ed7005f237c9d1b9871564bfeecad854ddb4959e0568c69598ee3c553055b43e153c7dda307fea411379638baf
SHA1 hash: 6b2da895bdef52ca2a861eb344191d7fc9f67893
MD5 hash: 05ff50d5ad2b934953108a2b5b3688ff
humanhash: alaska-uniform-zulu-mars
File name:6b2da895bdef52ca2a861eb344191d7fc9f67893
Download: download sample
Signature GandCrab
Create hunting rule
File size:241'673 bytes
First seen:2022-11-30 09:14:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a586568fde1b837e3841d8a6bd7e5a84 (2 x GandCrab)
ssdeep 6144:yxVDieXuKeAOSUZYJ9JohMYRbkslNtEGpTSc:yxVD7Re148WYRbXlNtEGTSc
Threatray 2'678 similar samples on MalwareBazaar
TLSH T1C934B001F2F2C8B3E17249355CB4A6A5592EFD720F258BBF23D4125E0E79190496AFB3
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
dhash icon 09494a8514801021 (2 x GandCrab)
Reporter EstisRemiel
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
gandcrab
Create hunting rule
ID:
1
File name:
6b2da895bdef52ca2a861eb344191d7fc9f67893
Verdict:
Malicious activity
Analysis date:
2022-11-30 09:16:18 UTC
Tags:
trojan ransomware gandcrab
Link:
https://app.any.run/tasks/ce407af5-b20c-42fd-8535-1afd28b147b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gandcrab
Create hunting rule
Link:
https://www.capesandbox.com/analysis/339940/
Detection(s):
Win.Malware.Gandcrab-6981815-1
Create hunting rule

Win.Packed.Generic-9853074-1
Create hunting rule

Win.Packer.Crypter-6539596-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63871f1694f9bac087b3f66f/reports/80ed5cd8-d481-4dbd-a18b-0d693ba27b3d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GandCrab
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e838727-fbb6-4329-996e-f7851a28a901
Result
Threat name:
GrandCrab, Gandcrab, ReflectiveLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1123960
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to determine the online IP of the system
Detected GrandCrab Ransomware (through HCA data)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses nslookup.exe to query domains
Yara detected Gandcrab
Yara detected ReflectiveLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756683 Sample: BUf8GutAZc.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 40 ransomware.bit 2->40 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 7 other signatures 2->65 8 BUf8GutAZc.exe 1 11 2->8         started        13 fexwan.exe 2->13         started        signatures3 process4 dnsIp5 42 ipv4bot.whatismyipaddress.com 8->42 38 C:\Users\user\AppData\Roaming\...\fexwan.exe, PE32 8->38 dropped 67 Detected unpacking (changes PE section rights) 8->67 69 Detected unpacking (overwrites its own PE header) 8->69 71 Detected GrandCrab Ransomware (through HCA data) 8->71 81 3 other signatures 8->81 15 nslookup.exe 1 8->15         started        18 nslookup.exe 1 8->18         started        20 nslookup.exe 1 8->20         started        22 5 other processes 8->22 73 Antivirus detection for dropped file 13->73 75 Detected unpacking (creates a PE file in dynamic memory) 13->75 77 Contains functionality to determine the online IP of the system 13->77 79 Machine Learning detection for dropped file 13->79 file6 signatures7 process8 dnsIp9 44 ns1.wowservers.ru 15->44 51 2 other IPs or domains 15->51 24 conhost.exe 15->24         started        47 ransomware.bit 18->47 53 2 other IPs or domains 18->53 26 conhost.exe 18->26         started        55 3 other IPs or domains 20->55 28 conhost.exe 20->28         started        49 ransomware.bit 22->49 57 14 other IPs or domains 22->57 30 conhost.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 2 other processes 22->36 signatures10 83 May check the online IP address of the machine 44->83 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b61439f54bd8f709a9acafadf264cbbdd725cb32e5b185256a809c68a3ea79aa/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2019-11-05 22:46:00 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
38 of 41 (92.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wykdt5kl3d3qtknmv6w7ezglxxlslszs4wyykjlkqcogri7kpgva._file
Verdict:
malicious
Similar samples:
125f75320c80d5b4d73c000058f26e92207d28a3d7d88551041f7a62f2a59e3c
GandCrab
21957bfa277e386c9967171dd181723fc9cc63d3ec00e782e72fa9477007c5c5
GandCrab
25cff944847dec98b79538ced3eb5a189f83f7de3ed4782297bb3c6a4f58176d
GandCrab
3cefc1579c7457564352e64b67b827b036b1cdc09b86947f3b33e0360936f664
GandCrab
70d9ee2447734940905e7ea0a3a777c25a449addcbbf9ea1914e2be7a43fb586
GandCrab
9535f9f6dcf372a58c7b396586adb22918e77e1de328ca6dc6504779586bd8ce
GandCrab
a185dde52390362b8c0e2539364480b1a4c1c01b7d9f0c133aadc2e77df0bf77
GandCrab
adec6a124ea6195af5928c34292476acbfe5bd0bec6460181a11b5778657bdd6
GandCrab
bf8eb76703eed0bd31be33d82f773aeb8e09588e36a8bdb0c12f96d0f85b4036
GandCrab
f298a330f8e845b60ed6703f6dd5c3712375b539ffaaac6e52c649e9ffb0cfa4
GandCrab
+ 2'668 additional samples on MalwareBazaar
Result
Malware family:
gandcrab
Create hunting rule
Score:
  10/10
Tags:
family:gandcrab backdoor persistence ransomware
Link:
https://tria.ge/reports/221130-k7wvnaae8z/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Enumerates connected drives
Unexpected DNS network traffic destination
GandCrab payload
Gandcrab
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b4ada19c-8da7-4865-9677-7426af9fa991
Unpacked files
SH256 hash:
0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884
MD5 hash:
f79e0245a46effdfcafa8feedd2e6fd1
SHA1 hash:
4dcdc2021fa1578ddcd25660e4135ac39995b769
Detections:
win_gandcrab_auto
Create hunting rule
Link:
https://www.unpac.me/results/76adb5a7-65ff-4618-8c2a-f12a36d46587/
Parent samples :
0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad
fec01ecfbc95ba154b19c1e9bb93edaa4bbed6628380b6670afe130e4b05c58b
0424f774b81dea4b18190bb972d1d61cdd5fc3c32d7dbd3654f9bb14a4e7d884
4c80e0aedee19d815c2806220d374d1c0e501528306d6a185393cd1e0795475c
125f75320c80d5b4d73c000058f26e92207d28a3d7d88551041f7a62f2a59e3c
a185dde52390362b8c0e2539364480b1a4c1c01b7d9f0c133aadc2e77df0bf77
9535f9f6dcf372a58c7b396586adb22918e77e1de328ca6dc6504779586bd8ce
bf8eb76703eed0bd31be33d82f773aeb8e09588e36a8bdb0c12f96d0f85b4036
e30572c5c1b3c8551a6080ea6757178985465f5c2e1444d31130faddc8dde887
c7674316186399d4efd355b2b670f2c203a42513755e7bd1f0a23b7206b42ce3
c14ba4f86110122a9c740a1154912942b9825289c648c79d54b6935114e4de17
b61439f54bd8f709a9acafadf264cbbdd725cb32e5b185256a809c68a3ea79aa
7dbf5c226c252325dc0e94eadef321153fa49c2e9e0003233db2fb01154bd35e
45648cb1078b898c2f49ccdba24a160937b2aa868ab8ad80896f5374e05cc3a1
8723ec9a0f117eda5f8fba7c2766082af4301593bbb7dda11420182ca93e5746
0ba313a99df7bc369f20838932426111c7ae431d884599dc134b4821b620a5e1
cfd501952a6325c50ce683e48819e052d541452f2cf37884f653e3c7accfe2f7
245ff054da4a6cb23a64b0fa4029e3ce278670fe64061dcae6f81e4c90be4901
a7c490f7d2aa1c783ceb763f744851927ddfd4c6bc52f1f7d5802fffe6c23add
7e61526d275fcde2370cd9024cb395116a34898234e18e0037b68b7cac3363b7
8d0c3f209c3c8eabfc15ac7b53aea8e7b0e3b8fc93772bb0e9a7abfabdc3043b
6df64a0a921bd65006968d7eb146f7ceb60ffc1345575d39edec0eded41eb4fe
1edc828da884f2b17544ba6609f55bba3c950093528a5e857a23be8ae78fcb36
bc345d907c6fde218bef52b9620066a2631bb8e47078b60363352be45ed196d5
1f3c004c5876f951a7afb57ab606de3407fcb2b830ee1baa3f2ac93c30bb25e4
283a17fe8380d7a844a035d2addc8942f9dd40352e297debf205c4cd880bbcc8
f0707ea68e6eb316e6d1f19fc4a64cf8ecea66473eb71581d748ba769e3cd1a9
589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
SH256 hash:
6c5a6a85c7664d5aae435f9ef143d964bd238b7996bee6ada973d48ed4280123
MD5 hash:
2e5750f2765b72cbcebcf0932149a675
SHA1 hash:
6856d0cb09578f0d878cedfe586352ba0972ae2d
Link:
https://www.unpac.me/results/76adb5a7-65ff-4618-8c2a-f12a36d46587/
Parent samples :
bc345d907c6fde218bef52b9620066a2631bb8e47078b60363352be45ed196d5
1f3c004c5876f951a7afb57ab606de3407fcb2b830ee1baa3f2ac93c30bb25e4
283a17fe8380d7a844a035d2addc8942f9dd40352e297debf205c4cd880bbcc8
f0707ea68e6eb316e6d1f19fc4a64cf8ecea66473eb71581d748ba769e3cd1a9
589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
SH256 hash:
b61439f54bd8f709a9acafadf264cbbdd725cb32e5b185256a809c68a3ea79aa
MD5 hash:
05ff50d5ad2b934953108a2b5b3688ff
SHA1 hash:
6b2da895bdef52ca2a861eb344191d7fc9f67893
Link:
https://www.unpac.me/results/76adb5a7-65ff-4618-8c2a-f12a36d46587/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b61439f54bd8f709a9acafadf264cbbdd725cb32e5b185256a809c68a3ea79aa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/339940/

Comments