File name: | GandCrab.bin.zip |
Full analysis: | https://app.any.run/tasks/639bb8ec-034e-4144-b98b-d85c0e5ce030 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 22, 2019, 23:01:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 8435576AA18BCD2FA9073B2D1EFA75D4 |
SHA1: | DBD11020200C5A462065522F2C1099B81F4BCA48 |
SHA256: | 2A8AF2F9DA1509AB2FC9AA9A5E9AC9193FA87499790EBCC3380370C57BF82A88 |
SSDEEP: | 1536:NNhnveWsDKsXwIDcSCJox5FGGwWe4YJ1nk3IaRAYw9KeaLaIY7tUYSHHv7gjSJvS:NNhnTsT0OKWe4YJ1kxANfaL3QjSHk2S |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:04:18 14:09:00 |
ZipCRC: | 0x984400f5 |
ZipCompressedSize: | 84379 |
ZipUncompressedSize: | 127488 |
ZipFileName: | GandCrab.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2840 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GandCrab.bin.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3496 | "C:\Users\admin\Desktop\GandCrab.exe" | C:\Users\admin\Desktop\GandCrab.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Version: 11.0.0.1 | ||||
3916 | nslookup gandcrab.bit a.dnspod.com | C:\Windows\system32\nslookup.exe | GandCrab.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2372 | nslookup gandcrab.bit a.dnspod.com | C:\Windows\system32\nslookup.exe | GandCrab.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3496 | GandCrab.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\ipv4bot_whatismyipaddress_com[1].htm | — | |
MD5:— | SHA256:— | |||
3496 | GandCrab.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:1BB36BC4C75A36BC003DEF4C3AD21D3A | SHA256:4981C6C172B9CF312619A4CC5A7E13C86495EF882670D2E80F6C927F86D78951 | |||
2840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2840.9756\GandCrab.exe | executable | |
MD5:A635D6A35C2FC054042B6868EF52A0C3 | SHA256:643F8043C0B0F89CEDBFC3177AB7CFE99A8E2C7FE16691F3D54FB18BC14B8F45 | |||
3496 | GandCrab.exe | C:\Users\admin\AppData\Roaming\Microsoft\vmubxd.exe | executable | |
MD5:A635D6A35C2FC054042B6868EF52A0C3 | SHA256:643F8043C0B0F89CEDBFC3177AB7CFE99A8E2C7FE16691F3D54FB18BC14B8F45 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3496 | GandCrab.exe | GET | 200 | 66.171.248.178:80 | http://ipv4bot.whatismyipaddress.com/ | US | text | 11 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3496 | GandCrab.exe | 66.171.248.178:80 | ipv4bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
3916 | nslookup.exe | 58.251.121.110:53 | a.dnspod.com | China Unicom Shenzen network | CN | malicious |
2372 | nslookup.exe | 58.251.121.110:53 | a.dnspod.com | China Unicom Shenzen network | CN | malicious |
Domain | IP | Reputation |
---|---|---|
ipv4bot.whatismyipaddress.com |
| shared |
a.dnspod.com |
| shared |
gandcrab.bit |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3496 | GandCrab.exe | Misc activity | SUSPICIOUS [PTsecurity] IP Check (whatismyipaddress) |
3916 | nslookup.exe | A Network Trojan was detected | ET TROJAN Observed GandCrab Domain (gandcrab .bit) |
3916 | nslookup.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |
3916 | nslookup.exe | A Network Trojan was detected | ET TROJAN Observed GandCrab Domain (gandcrab .bit) |
3916 | nslookup.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |
3916 | nslookup.exe | A Network Trojan was detected | ET TROJAN Observed GandCrab Domain (gandcrab .bit) |
3916 | nslookup.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |
3916 | nslookup.exe | A Network Trojan was detected | ET TROJAN Observed GandCrab Domain (gandcrab .bit) |
3916 | nslookup.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |
2372 | nslookup.exe | A Network Trojan was detected | ET TROJAN Observed GandCrab Domain (gandcrab .bit) |