File name: | B5A15C04528F74F48E2C460AD1760E38.bin |
Full analysis: | https://app.any.run/tasks/9c2b1b24-baf1-4155-8cde-8b574a97ed27 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 17, 2020, 20:40:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B5A15C04528F74F48E2C460AD1760E38 |
SHA1: | 40E47DE0A384528BC62CE0CDFE8FA7A5ABF1311C |
SHA256: | 747099C74D1FF6FED16E3B1548DD5D1B1346D63C19F56D31CBEE1F78CACD859F |
SSDEEP: | 3072:fadz2hddv/kXZzX/EGK2ieqsjEY3a+kwlYQYNrXZoG8u2tn6gZ87Q8b1BD6OcA:fPh/v/kSGqY237Xq3u2h6gErD6s |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:05:25 11:04:25+02:00 |
PEType: | PE32 |
LinkerVersion: | 14 |
CodeSize: | 62976 |
InitializedDataSize: | 16678912 |
UninitializedDataSize: | - |
EntryPoint: | 0x158f |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 2.0.4.0 |
ProductVersionNumber: | 2.0.4.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Executable application |
FileSubtype: | - |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 25-May-2018 09:04:25 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 25-May-2018 09:04:25 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0000F56B | 0x0000F600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.65746 |
.rdata | 0x00011000 | 0x000063D4 | 0x00006400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.25714 |
.data | 0x00018000 | 0x00FC6940 | 0x00000E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.45034 |
.gfids | 0x00FDF000 | 0x000000AC | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.43008 |
.rsrc | 0x00FE0000 | 0x0001ADFC | 0x0001AE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.98955 |
.reloc | 0x00FFB000 | 0x00000F00 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.4086 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.21085 | 92 | UNKNOWN | UNKNOWN | RT_VERSION |
101 | 1.83876 | 20 | UNKNOWN | English - United Kingdom | RT_GROUP_CURSOR |
105 | 3.07817 | 296 | UNKNOWN | UNKNOWN | RT_DIALOG |
155 | 7.9981 | 108209 | UNKNOWN | UNKNOWN | VMC |
227 | 4.53156 | 373 | UNKNOWN | UNKNOWN | HUHAMOVETOKETUMODIFEJIGEFASO |
509 | 3.30513 | 184 | UNKNOWN | UNKNOWN | RT_ACCELERATOR |
GDI32.dll |
KERNEL32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1504 | "C:\Users\admin\Desktop\B5A15C04528F74F48E2C460AD1760E38.bin.exe" | C:\Users\admin\Desktop\B5A15C04528F74F48E2C460AD1760E38.bin.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
3152 | nslookup carder.bit ns1.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1448 | nslookup ransomware.bit ns2.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3244 | nslookup carder.bit ns2.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2128 | nslookup ransomware.bit ns1.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3896 | nslookup carder.bit ns1.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2700 | "C:\Users\admin\Desktop\B5A15C04528F74F48E2C460AD1760E38.bin.exe" | C:\Users\admin\Desktop\B5A15C04528F74F48E2C460AD1760E38.bin.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3928 | nslookup ransomware.bit ns2.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2728 | nslookup carder.bit ns2.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1972 | nslookup ransomware.bit ns1.wowservers.ru | C:\Windows\system32\nslookup.exe | B5A15C04528F74F48E2C460AD1760E38.bin.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (1504) B5A15C04528F74F48E2C460AD1760E38.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
Operation: | write | Name: | sqmkmywwzee |
Value: "C:\Users\admin\AppData\Roaming\Microsoft\erbjqi.exe" | |||
(PID) Process: | (1504) B5A15C04528F74F48E2C460AD1760E38.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\B5A15C04528F74F48E2C460AD1760E38_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1504) B5A15C04528F74F48E2C460AD1760E38.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\B5A15C04528F74F48E2C460AD1760E38_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1504) B5A15C04528F74F48E2C460AD1760E38.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\B5A15C04528F74F48E2C460AD1760E38_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1504) B5A15C04528F74F48E2C460AD1760E38.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\B5A15C04528F74F48E2C460AD1760E38_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1504) B5A15C04528F74F48E2C460AD1760E38.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\B5A15C04528F74F48E2C460AD1760E38_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (1504) B5A15C04528F74F48E2C460AD1760E38.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\B5A15C04528F74F48E2C460AD1760E38_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (1504) B5A15C04528F74F48E2C460AD1760E38.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\B5A15C04528F74F48E2C460AD1760E38_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1504) B5A15C04528F74F48E2C460AD1760E38.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\B5A15C04528F74F48E2C460AD1760E38_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1504) B5A15C04528F74F48E2C460AD1760E38.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\B5A15C04528F74F48E2C460AD1760E38_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1504 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_90059c37-1320-41a4-b58d-2b75a9850d2f | — | |
MD5:— | SHA256:— | |||
1504 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ipv4bot_whatismyipaddress_com[1].htm | — | |
MD5:— | SHA256:— | |||
1504 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | C:\Users\admin\AppData\Roaming\Microsoft\erbjqi.exe | executable | |
MD5:F857CCCF50E4CBFC78147F65E9CDA747 | SHA256:08B9C9AB10A5BFB5A27C7C63758EDA4FF576DEED7B03996D739711A6D119F494 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1504 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | GET | 200 | 66.171.248.178:80 | http://carder.bit/ | US | text | 13 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3152 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
1448 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
1504 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | 66.171.248.178:80 | ipv4bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
3896 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
3244 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
3928 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
2128 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
3256 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
2728 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
1932 | nslookup.exe | 185.103.243.59:53 | ns1.wowservers.ru | Astralus B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
ipv4bot.whatismyipaddress.com |
| shared |
ns1.wowservers.ru |
| malicious |
carder.bit |
| malicious |
ns2.wowservers.ru |
| malicious |
ransomware.bit |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1504 | B5A15C04528F74F48E2C460AD1760E38.bin.exe | A Network Trojan was detected | ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M1 |
3152 | nslookup.exe | A Network Trojan was detected | ET TROJAN Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) |
3152 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3152 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3152 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3152 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
1448 | nslookup.exe | A Network Trojan was detected | ET TROJAN Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup) |
1448 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
1448 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
1448 | nslookup.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |