MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7f394d27ec43770694183601edec9fadd4b551ba13b3c61df18d43e8c680b1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GandCrab


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7f394d27ec43770694183601edec9fadd4b551ba13b3c61df18d43e8c680b1a
SHA3-384 hash: 5ac3e3ba66d617964e16f6434b6b45ea5702dee49e5b258efa81e61a0ba1689e03fb11d178fcad341e0fbf3a95fff9f0
SHA1 hash: 0d09957ebbcff182c7a6bad5445e8d39b7e9776a
MD5 hash: 5ae87aa294d0cd02aa5e51556fd26129
humanhash: november-east-carbon-table
File name:d7f394d27ec43770694183601edec9fadd4b551ba13b3c61df18d43e8c680b1a
Download: download sample
Signature GandCrab
Create hunting rule
File size:71'168 bytes
First seen:2022-08-30 18:24:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b11af918234585a966ca8fab046dc6c (1'243 x GandCrab, 1 x Ransomware)
ssdeep 1536:JZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:1BounVyFHpfMqqDL2/Lkvd
Threatray 231 similar samples on MalwareBazaar
TLSH T17A636A0EA2E1A193E1F357B9FA757E65446E3D203B289BDB099359852D630F0793B303
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter OSimao
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
gandcrab
Create hunting rule
ID:
1
File name:
d7f394d27ec43770694183601edec9fadd4b551ba13b3c61df18d43e8c680b1a
Verdict:
Malicious activity
Analysis date:
2022-08-30 19:27:49 UTC
Tags:
ransomware gandcrab trojan
Link:
https://app.any.run/tasks/e1a47cf4-c637-42f2-811c-b5e685c247d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gandcrab
Create hunting rule
Link:
https://www.capesandbox.com/analysis/302717/
Detection(s):
Win.Ransomware.Gandcrab-6667060-0
Create hunting rule

Win.Ransomware.Gandcrab-6502432-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Changing a file
DNS request
Creating a process with a hidden window
Setting a single autorun event
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30946/overview
Behaviour
MalwareBazaar
EnumerateProcesses
CallSleep
ComputerProcessor
CallCrc32
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe evasive greyware ransomware shell32.dll
Link:
https://www.filescan.io/uploads/630e566cfbf1afa4927a3e13/reports/c044da64-c872-47fa-97ab-82d5112b0c17/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GandCrab
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61acf907-b029-4aac-9ceb-e46557071b93
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7f394d27ec43770694183601edec9fadd4b551ba13b3c61df18d43e8c680b1a/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 12:24:25 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
38 of 40 (95.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=27zzjut6yq3xa2kbqnqb5xwj7louwvi3ue5tyyo7ddkd5ddibmna._file
Verdict:
malicious
Similar samples:
0e9c843884809ef8dce972748a6d0bd1ee6d03f946fa09f6a8e6e73653534e7e
GandCrab
2d4fed9f16b3c4cece6d0f772cfb23e7b3a88406a704b05a10315a61f7d668e4
GandCrab
67d975966ed3704f670160934545d894ad1ebbdbe0ece48f52ac119ec81d9649
GandCrab
6d6a6e10aec51e3e4ab20a85815a84e0bbc76b5c67df4b01ab004bbfbd5f2116
GandCrab
76acd6a4c299297d1f00914890f720b8226689766a755e85d50e4b7037a0797f
GandCrab
848f57c8d38c1b7804d068efc7be260a0ea8e96ad5f7de88d2c4af34d20e87ed
GandCrab
906210fcd207bfc56d7529dd72fe88c191988075dba614e89ed7b4ad259e74dc
GandCrab
a6e06a8cddd4876f11a3f9b56ed882f2372ead007be65ba34daf739362f2f99e
GandCrab
c4add404c2f3679af99f3b4a508c87d1a4e320841e4119e390baa84aa6958a23
GandCrab
cf4c710231041c8b4be37929d084516aa94e6eff7de3c2820ff339cd05a30ab8
GandCrab
+ 221 additional samples on MalwareBazaar
Result
Malware family:
gandcrab
Create hunting rule
Score:
  10/10
Tags:
family:gandcrab persistence
Link:
https://tria.ge/reports/220830-w2ly2schem/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Enumerates connected drives
Unpacked files
SH256 hash:
d7f394d27ec43770694183601edec9fadd4b551ba13b3c61df18d43e8c680b1a
MD5 hash:
5ae87aa294d0cd02aa5e51556fd26129
SHA1 hash:
0d09957ebbcff182c7a6bad5445e8d39b7e9776a
Detections:
win_gandcrab_auto
Create hunting rule
Link:
https://www.unpac.me/results/ce8d69e9-e6ba-4f58-b677-bf13ee8f107f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7f394d27ec43770694183601edec9fadd4b551ba13b3c61df18d43e8c680b1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Gandcrab
Create hunting rule
Author:kevoreilly
Description:Gandcrab Payload
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_RANSOMWARE_Indicator_Jul20
Create hunting rule
Author:Florian Roth
Description:Detects ransomware indicator
Reference:https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Rule name:SUSP_RANSOMWARE_Indicator_Jul20_RID31A2
Create hunting rule
Author:Florian Roth
Description:Detects ransomware indicator
Reference:https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Rule name:win_gandcrab_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gandcrab.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/302717/

Comments