Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Gandcrab"
- * MalScore: 10.0
- * File Name: "Exes_b4fc1596157eb7b7900dd1da72c301c4.exe"
- * File Size: 219661
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad"
- * MD5: "b4fc1596157eb7b7900dd1da72c301c4"
- * SHA1: "e0c4095c71475036bd79f8bb926fcb575d446d36"
- * SHA512: "6a7f72c23344c128dc1d7c25942affedd7c36960da229caebee274c395013d07db9bcb77a24f8cf00e765cbbd1d346cb925dc67a63ac9da2c3621c49c1c1cf48"
- * CRC32: "C2C5EB0F"
- * SSDEEP: "3072:ePI88gNJMXBNO2gwvT+qaRER85N/0N9eaoRSh+KpVmytJKF7Gb:yI8FNmBJrxR85N/0N9eao+UCJsM"
- * Process Execution:
- "WJhL3edMezLSjyf.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe",
- "nslookup.exe"
- * Executed Commands:
- "nslookup carder.bit ns1.wowservers.ru",
- "nslookup ransomware.bit ns2.wowservers.ru",
- "nslookup carder.bit ns2.wowservers.ru",
- "nslookup ransomware.bit ns1.wowservers.ru"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "WJhL3edMezLSjyf.exe tried to sleep 380 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: WJhL3edMezLSjyf.exe, pid: 1528, offset: 0x00000000, length: 0x00035a0d"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://carder.bit/"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.77, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00021400, virtual_size: 0x000213e8"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "nslookup carder.bit ns1.wowservers.ru"
- "command": "nslookup ransomware.bit ns2.wowservers.ru"
- "command": "nslookup carder.bit ns2.wowservers.ru"
- "command": "nslookup ransomware.bit ns1.wowservers.ru"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\mjmpdzutmwx"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\odpbdk.exe\""
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "WJhL3edMezLSjyf.exe:1528"
- "Description": "CAPE detected the Gandcrab malware family",
- "Details":
- "Description": "File has been identified by 63 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.GenericKD.30997249"
- "FireEye": "Generic.mg.b4fc1596157eb7b7"
- "CAT-QuickHeal": "Trojan.Mauvaise.SL1"
- "ALYac": "Trojan.Ransom.GandCrab"
- "Malwarebytes": "Trojan.MalPack.Generic"
- "Zillya": "Trojan.GandCrypt.Win32.445"
- "SUPERAntiSpyware": "Trojan.Agent/Gen-Kryptik"
- "K7AntiVirus": "Trojan ( 0053305e1 )"
- "Alibaba": "VirTool:Win32/CeeInject.80aada57"
- "K7GW": "Trojan ( 0053305e1 )"
- "Cybereason": "malicious.6157eb"
- "Arcabit": "Trojan.Generic.D1D8FB01"
- "Invincea": "heuristic"
- "F-Prot": "W32/S-00ee55d1!Eldorado"
- "Symantec": "Ransom.GandCrab"
- "APEX": "Malicious"
- "Avast": "Win32:RansomX-gen Ransom"
- "ClamAV": "Win.Ransomware.Gandcrab-6986826-0"
- "Kaspersky": "HEUR:Trojan.Win32.Generic"
- "BitDefender": "Trojan.GenericKD.30997249"
- "NANO-Antivirus": "Trojan.Win32.Encoder.fehhuu"
- "Paloalto": "generic.ml"
- "AegisLab": "Trojan.Win32.Generic.4!c"
- "Rising": "Ransom.GandCrypt!8.F33E (TFE:5:Y9LzsMtRkxR)"
- "Ad-Aware": "Trojan.GenericKD.30997249"
- "Emsisoft": "Trojan.Crypt (A)"
- "Comodo": "TrojWare.Win32.Chapak.FS@7prmd9"
- "F-Secure": "Trojan.TR/FileCoder.EV"
- "DrWeb": "Trojan.Encoder.24384"
- "VIPRE": "Trojan.Win32.Generic!BT"
- "TrendMicro": "Ransom_GANDCRAB.SMALY-3"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.dc"
- "Trapmine": "malicious.high.ml.score"
- "Sophos": "Mal/GandCrab-B"
- "SentinelOne": "DFI - Malicious PE"
- "Cyren": "W32/S-00ee55d1!Eldorado"
- "Jiangmin": "Trojan.PSW.Coins.nk"
- "Webroot": "W32.Trojan.Gen"
- "Avira": "TR/FileCoder.EV"
- "Antiy-AVL": "TrojanPSW/Win32.Coins"
- "Microsoft": "VirTool:Win32/CeeInject.AIB!bit"
- "Endgame": "malicious (high confidence)"
- "ViRobot": "Trojan.Win32.GandCrab.Gen.A"
- "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
- "GData": "Trojan.GenericKD.30997249"
- "TACHYON": "Ransom/W32.GandCrab.219661"
- "AhnLab-V3": "Win-Trojan/Gandcrab02.Exp"
- "Acronis": "suspicious"
- "McAfee": "GenericRXGJ-JL!B4FC1596157E"
- "MAX": "malware (ai score=100)"
- "VBA32": "BScope.TrojanPSW.Stealer"
- "Cylance": "Unsafe"
- "Zoner": "Trojan.Win32.68915"
- "ESET-NOD32": "Win32/Filecoder.GandCrab.B"
- "TrendMicro-HouseCall": "Ransom_GANDCRAB.SMALY-3"
- "Tencent": "Win32.Ransomware.Gandcrab.Auto"
- "Yandex": "Trojan.PWS.Coins!"
- "Ikarus": "Trojan-Ransom.GandCrab"
- "Fortinet": "W32/GenKryptik.CNAR!tr"
- "AVG": "Win32:RansomX-gen Ransom"
- "Panda": "Trj/Genetic.gen"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "Win32/Trojan.Multi.daf"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Ransomware.Gandcrab-6986826-0, sha256:0452a7ada10bdeda0eb905da0549955f9ce8486ff7cf76a51d73f90a90e89aad, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Ransomware.Gandcrab-6986826-0, sha256:2b5d9fdd18783e48c626d26181573ec4c4b99b1a56286c7ef2178b5f409ae654 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\Microsoft\\odpbdk.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Creates a slightly modified copy of itself",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\odpbdk.exe"
- "percent_match": 99
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)"
- "signature": "ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M1"
- "signature": "ET CURRENT_EVENTS DNS Query Domain .bit"
- "signature": "ET TROJAN Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup)"
- * Started Service:
- * Mutexes:
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Global\\pc_group=WORKGROUP&ransom_id=d863cd4ec1c5b64f",
- "IESQMMUTEX_0_208"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\odpbdk.exe",
- "\\Device\\NamedPipe"
- * Deleted Files:
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\mjmpdzutmwx",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "ipv4bot.whatismyipaddress.com",
- "answers":
- "data": "66.171.248.178",
- "type": "A"
- "type": "A",
- "request": "ns1.wowservers.ru",
- "answers":
- "data": "",
- "type": "NXDOMAIN"
- "type": "PTR",
- "request": "8.8.8.8.in-addr.arpa",
- "answers":
- "data": "dns.google",
- "type": "PTR"
- "type": "A",
- "request": "carder.bit",
- "answers":
- "type": "AAAA",
- "request": "carder.bit",
- "answers":
- "type": "A",
- "request": "ns2.wowservers.ru",
- "answers":
- "type": "A",
- "request": "ransomware.bit",
- "answers":
- "type": "AAAA",
- "request": "ransomware.bit",
- "answers":
- * Domains:
- "ip": "",
- "domain": "ns1.wowservers.ru"
- "ip": "",
- "domain": "carder.bit"
- "ip": "",
- "domain": "ns2.wowservers.ru"
- "ip": "",
- "domain": "ransomware.bit"
- "ip": "66.171.248.178",
- "domain": "ipv4bot.whatismyipaddress.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://carder.bit/",
- "user-agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
- "method": "GET",
- "host": "carder.bit",
- "version": "1.1",
- "path": "/",
- "data": "GET / HTTP/1.1\r\nHost: carder.bit\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "66.171.248.178",
- "inaddrarpa": "",
- "hostname": "ipv4bot.whatismyipaddress.com"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement