MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0e0d11a66b1a521d07699e2c57919267b8a86c8f8611768c08777a2bcd804bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GandCrab

Vendor detections: 2

Intelligence 2 IOCs YARA 1 File information Comments

SHA256 hash:	c0e0d11a66b1a521d07699e2c57919267b8a86c8f8611768c08777a2bcd804bd
SHA3-384 hash:	e7369cec982fa5b6e28fd7781fd525a661805f3cb88089ab97e331fa5f97e261cb7d01f829e4be54a15184098437e749
SHA1 hash:	9d0f9de83912e7b6a55ed9a9d4d5b066577a1916
MD5 hash:	cfa9f34956dfa2842ad1412490e4eb16
humanhash:	red-hot-happy-freddie
File name:	WiseFax-0304201958032204.doc.exe
Download:	download sample
Signature	GandCrab Create hunting rule
File size:	273'920 bytes
First seen:	2020-04-30 07:31:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d138b524bd78272875fbbdc19e717f98 (1 x GandCrab)
ssdeep	6144:hKM2wqZ+s0WCaQo2UNlgCFJlAVFilX8m6:MM2BZ+snQoZBA7iN8m
Threatray	1'426 similar samples on MalwareBazaar
TLSH	28443C26A86C7F48D923B335710B1F3655F68B1F3B69556CEAFE4BB1F1646000A6308B
Reporter	jarumlus
Tags:	Gandcrab

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-6

PUA.Win.Packer.Upx-4

Gathering data

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2019-04-04 00:44:00 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Verdict:

unknown

GandCrab

1f3842bc152088bc10de6e14adabf860902dee318375a6567e0b85a9faaed1f0

GandCrab

52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea

GandCrab

67d53f916dfaa58825da5c4141cbb338b286aab1de054bd46c0c1f989519491f

GandCrab

89b6341763b7e43e9616702513b7261434ce1042652403cddf2195bce2000c1b

GandCrab

8e0aea169927ae791dbafe063a567485d33154198cd539ee7efcd81a734ea325

GandCrab

b916202c699d0d50b0da48ee8a287bfc5a98cbb975e46792a95c767ac5b6b2d0

GandCrab

e5293306e26acee08b59796c2a80b2e9e36f4ec027016a908b4beb24f83bd8e7

GandCrab

eba6afed10bd6e1475067da62d7dd7b4b2d56b0dce09edb2cfd0a0d7bc1c0047

GandCrab

fa3981228b5b124a8b51fa64f8b6d5d05899165647dc50322b717d7ab63d4997

GandCrab

+ 1'416 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_gandcrab_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample