File name: | B5A15C04528F74F48E2C460AD1760E38.bin |
Full analysis: | https://app.any.run/tasks/5e27edf3-5bb7-4d12-90d3-b652a69be723 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 18, 2020, 06:10:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B5A15C04528F74F48E2C460AD1760E38 |
SHA1: | 40E47DE0A384528BC62CE0CDFE8FA7A5ABF1311C |
SHA256: | 747099C74D1FF6FED16E3B1548DD5D1B1346D63C19F56D31CBEE1F78CACD859F |
SSDEEP: | 3072:fadz2hddv/kXZzX/EGK2ieqsjEY3a+kwlYQYNrXZoG8u2tn6gZ87Q8b1BD6OcA:fPh/v/kSGqY237Xq3u2h6gErD6s |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:05:25 11:04:25+02:00 |
PEType: | PE32 |
LinkerVersion: | 14 |
CodeSize: | 62976 |
InitializedDataSize: | 16678912 |
UninitializedDataSize: | - |
EntryPoint: | 0x158f |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 2.0.4.0 |
ProductVersionNumber: | 2.0.4.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Executable application |
FileSubtype: | - |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 25-May-2018 09:04:25 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 25-May-2018 09:04:25 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0000F56B | 0x0000F600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.65746 |
.rdata | 0x00011000 | 0x000063D4 | 0x00006400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.25714 |
.data | 0x00018000 | 0x00FC6940 | 0x00000E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.45034 |
.gfids | 0x00FDF000 | 0x000000AC | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.43008 |
.rsrc | 0x00FE0000 | 0x0001ADFC | 0x0001AE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.98955 |
.reloc | 0x00FFB000 | 0x00000F00 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.4086 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.21085 | 92 | UNKNOWN | UNKNOWN | RT_VERSION |
101 | 1.83876 | 20 | UNKNOWN | English - United Kingdom | RT_GROUP_CURSOR |
105 | 3.07817 | 296 | UNKNOWN | UNKNOWN | RT_DIALOG |
155 | 7.9981 | 108209 | UNKNOWN | UNKNOWN | VMC |
227 | 4.53156 | 373 | UNKNOWN | UNKNOWN | HUHAMOVETOKETUMODIFEJIGEFASO |
509 | 3.30513 | 184 | UNKNOWN | UNKNOWN | RT_ACCELERATOR |
GDI32.dll |
KERNEL32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2692 | "C:\Users\admin\AppData\Local\Temp\B5A15C04528F74F48E2C460AD1760E38.bin.exe" | C:\Users\admin\AppData\Local\Temp\B5A15C04528F74F48E2C460AD1760E38.bin.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
2136 | nslookup carder.bit ns1.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3000 | nslookup ransomware.bit ns2.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2152 | nslookup carder.bit ns2.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
720 | nslookup ransomware.bit ns1.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1940 | nslookup carder.bit ns1.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3952 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\minichild.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2692 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_90059c37-1320-41a4-b58d-2b75a9850d2f | — | |
MD5:— | SHA256:— | |||
2692 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ipv4bot_whatismyipaddress_com[1].htm | — | |
MD5:— | SHA256:— | |||
3952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR82E1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3952 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\minichild.rtf.LNK | lnk | |
MD5:05F59134228F35E1615A851EA9041875 | SHA256:49818AC014102F439D7C7A252F52B8B60935D93B0A9C6F80D747904377408BBF | |||
3952 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:5FBA72B8C0D24B7A7E190A2EA4F0DF84 | SHA256:4387BA5E576B0AE05FC1A931AAB3ECB383A7AC23F72BAC40BECBC48E68555B06 | |||
2692 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | C:\Users\admin\AppData\Roaming\Microsoft\dlwwvl.exe | executable | |
MD5:73D2B8C18D61806AC35C8BA32A66A71F | SHA256:A84342BB75B7273DB703F9CD4BD87C5104751196EAB74D6840EACB94FE242B47 | |||
3952 | WINWORD.EXE | C:\Users\admin\Desktop\~$nichild.rtf | pgc | |
MD5:234D8B1EFACEDBF71E5FA68F6FEFEB21 | SHA256:E2F301EA51F8A7ADC5F0D9DF8E7EC4DF8E27E59AD8F259DE435658B2F0603A6D | |||
3952 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:89A86EA997A9C491E98D7B72C2A23066 | SHA256:BBBFD4CF6E7629CDFE9C9634F16AD4D43C3D7E43835B87A585F05AE6F8C8E3EA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2692 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | GET | 200 | 66.171.248.178:80 | http://carder.bit/ | US | text | 14 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2152 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
3000 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
2692 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | 66.171.248.178:80 | ipv4bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
2136 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
720 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
1940 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
ipv4bot.whatismyipaddress.com |
| shared |
ns1.wowservers.ru |
| malicious |
59.243.103.185.in-addr.arpa |
| unknown |
carder.bit |
| malicious |
ns2.wowservers.ru |
| malicious |
ransomware.bit |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2692 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | A Network Trojan was detected | ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M1 |
2136 | nslookup.exe | A Network Trojan was detected | ET TROJAN Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) |
2136 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
2136 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
2136 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
2136 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3000 | nslookup.exe | A Network Trojan was detected | ET TROJAN Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup) |
3000 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3000 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3000 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |