Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #GandCrab v3 #Ransomware #Trojan
- ----------------------------------------
- 18-06-2018 IOC's
- ----------------------------------------
- Main object- "MOV_43.js"
- sha256 60e96944d6505f77a4d865d3c5500f80547f4f3eb3f868b06ab62dfeb0b71e27
- sha1 85c9cb7a8a8b78c28960e669d4f17c1e0dc44c9a
- md5 f7bca1c9011e0e96d412c137bf71be1b
- Dropped executable file
- sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLQBH2R9\1[1].pdf 507de2042fa0289a5a39fc8f72ad4d1d27cca39f481db133bda2f689d380e105
- sha256 C:\Users\admin\AppData\Roaming\Microsoft\xzldbg.exe 046891cb3e3e56efe3ccae11833d23d27675a5f9b0d0fb24d6e280728f150d66
- DNS requests
- domain www.torproject.org
- domain carder.bit
- domain ipv4bot.whatismyipaddress.com
- domain ns1.wowservers.ru
- domain yayasanarrisalah.com
- Connections
- ip 190.35.242.126
- ip 66.171.248.178
- ip 62.210.28.83
- ip 78.40.139.73
- ip 84.236.74.22
- ip 138.201.14.197
- ip 2.16.186.120
- ip 152.199.19.161
- ip 2.16.186.97
- HTTP/HTTPS requests
- url http://carder.bit/lferelf?s=owb
- url http://carder.bit/eresee?score=er
- url http://yayasanarrisalah.com/update.php
- url http://carder.bit/
- ------------------------------------------------
- RANSOM NOTE:
- ��---= GANDCRAB V3 =---
- Attention!
- All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB
- The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
- The server with your key is in a closed network TOR. You can get there by the following ways:
- 0. Download Tor browser - https://www.torproject.org/
- 1. Install Tor browser
- 2. Open Tor Browser
- 3. Open link in TOR browser: http://gandcrab2pie73et.onion/b99ffda26b799fa
- 4. Follow the instructions on this page
- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
- The alternative way to contact us is to use Jabber messanger. Read how to:
- 0. Download Psi-Plus Jabber Client: https://psi-im.org/download/
- 1. Register new account: http://sj.ms/register.php
- 0) Enter "username": b99ffda26b799fa
- 1) Enter "password": your password
- 2. Add new account in Psi
- 3. Add and write Jabber ID: ransomware@sj.ms any message
- 4. Follow instruction bot
- ATTENTION!
- It is a bot! It's fully automated artificial system without human control!
- To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.
- You can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
- CAUGHTION!
- Do not try to modify files or use your own private key. This will result in the loss of your data forever!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement