File name: | crabler.exe |
Full analysis: | https://app.any.run/tasks/06163d9d-5f46-42ce-85ed-1d6364226a8e |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 22, 2019, 15:48:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 5B7AC4C6E35248E864E41ACDA7F39A8C |
SHA1: | 5162B3652AA44B31E46DA4F6C1E4EFFF205A6B32 |
SHA256: | 93CC0D58C766904DE5EFE9EBE11531B9757A02A1C5EE8C54DE92A35D86D8956F |
SSDEEP: | 1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdplCaIxWzX:VM9ntZ3s1QJdnU2SQdf64ZZnCaIxWec |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x6229 |
UninitializedDataSize: | - |
InitializedDataSize: | 68096 |
CodeSize: | 80896 |
LinkerVersion: | 12 |
PEType: | PE32 |
TimeStamp: | 2018:10:26 10:47:08+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 26-Oct-2018 08:47:08 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 26-Oct-2018 08:47:08 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00013BE4 | 0x00013C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.58693 |
.rdata | 0x00015000 | 0x00006B46 | 0x00006C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.59746 |
.data | 0x0001C000 | 0x000087F4 | 0x00006A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.15553 |
.rsrc | 0x00025000 | 0x000001E0 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.7123 |
.reloc | 0x00026000 | 0x000013A8 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.64868 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
MPR.dll |
RPCRT4.dll |
SHELL32.dll |
USER32.dll |
WININET.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3056 | "C:\Users\admin\AppData\Local\Temp\crabler.exe" | C:\Users\admin\AppData\Local\Temp\crabler.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
2040 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | crabler.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3056) crabler.exe | Key: | HKEY_CURRENT_USER\Software\ex_data\data |
Operation: | write | Name: | ext |
Value: 2E00700069006F0072006C006A000000 | |||
(PID) Process: | (3056) crabler.exe | Key: | HKEY_CURRENT_USER\Software\keys_data\data |
Operation: | write | Name: | public |
Value: 0602000000A40000525341310008000001000100091E1704DB8673B11E854621EC9D2732C6C603438FF06BE544B9E2EB8B16481DF81A5596B3F64B38F0D09AE84C5FDC9C6705A194BE94947DAB1C2D325BEA22A9452471693C76F502D3389CC16A40E4B702725E56CB0051063F8A6EBA9025D54FF2BB82CD3D44DD1143D7EDBB05477066DB83B88170AEFDB96D35D584A823E7E11C192F42F0866117F7246460A2B8CEF747BCB0C934C336AD553053EECEB3FE9D25B31F046CC0DC2794293ED9C84291353B0EB2AC732F77C454E2FECDDD84EF36408F972300B7C8EA647CF697A2C65C1D02AA3AC90160B36458614EF03E50860C0D10961C99048E34D57BBE69F13A8EC4ABEAE46F11449BC1CCFDE0DA7867D1C4 | |||
(PID) Process: | (3056) crabler.exe | Key: | HKEY_CURRENT_USER\Software\keys_data\data |
Operation: | write | Name: | private |
Value: 940400008E764E76AD8179396F3118EFA0BF24D389471C43B2D02A00B08A25C35543B454E43A563A419611769F9CB1BC70D0BF792B5370CD395C1106A2F853EBC409158C011D9D822DC0DA750A2B523D614AC96D642B803E6340E02063A0C9722A459F81CBFBF0394887658DADDFBA17452687862CD7B691FE640221E2795F27EAF6E0F851BD6A7A2C8C5E6971300ACC867498C1926E9D241682254C89E9F12AEC4CBB41509F36B22E51586370F897AD7C68AA0E239CD5836D907F1DC9A41DF45D65A6C948F799C1138C105E96264D1F1FF554FC54F6E657736E3155C4EBDD4F90C76E624A4243E9D27CB06900FBA2C477926E347E40E8144E40E0E378659864C58D2D159294795348F434957718A295B07E4FCDE6813AFE08213ABA3D945E7C856612B78F5A308615E936A0E8320877E6EE1790EA907381C80A680A65A42E69888419E68D8F79F7BC7712F31247CB29788845243876FBEBDDE87CD8C333EA50BA2E95AF4A5C7D3B30A34EF3A301020E799BE80789520BB2345F258995F4A49173B5C337C9DF1EA49384B135358E63C998F85043E0ED490A9722CED683643D69898157DA040BA1A4A41CB0E51A73C297EEEB3B81463E9A3998566DF7D67263DF69E21EC1D8A9625168AC5D778867A111DF68187BB88DB62A15AD1DD918DA14F9A9D9CDA6A9CBEA9330FAF63624B8E326D5903EF0FFBEBB18AC4B17658FB949BEA69AD2960C4D17CCB9FB9377F50B3380F02A98DAFAF63360B89CCC0C744C4B1EC896961A10873EFE8D0D321E1200A5DE18B6537A24F9D1A537529710F3D617CB8B3B695EDA99C694680899EE3A9D6D12059A9267E7B7DF83F7BCB40402A05BED30FA0795EAB5912F258CD401BEA1D486750A2DD2A1ED6C9A60130DB77529ED56B4BEA4A07EA4B5CB19C5AEF367A37311F24A01C856477221DF57533932447714C70AD4C5A58CCE8610865BAB449515BB28A931CDECDF864D83B67D9D0E22B7CF77D0529CEE20C00C862158B0AA814C897DD247BC3ABC401E602DABF64D1BA5B7284F999F567C8CAA57F70F95AF882FF37F70E591CEFF2BC81D4ECCBFEA6D9A8495CECE818483847FBED0E9296876E1B907B854E9FB551AE61333210A8F5195AAED65AD52D24129FA2979C91A0E465A635212832D66DA3B4E6D40B26F3FE9737949EBC5A78EFAEDE6AF0962B73B311C374C17BEDB6264FC40A395D8B822D56E017AB338D92B742B694D9CCF2DA66575F2B8036AA87160BE686DF8E39B6D54614A6F4223DC2121C26143800946777D1F7D39ADC5221D22D6120AD5B16F54B6D67362EDA79988F14707AB54998A808554F3897C68B286E6CA55B05C68EE9D707D3128680E650AB24928993AF4B5C581781B11CDD96EE9C6F447709FAF532BAE737739A7E9A114AD0745DA654B61102CA0BDB24C36242ADCD2BA0C0CB29873CFD574C01EC52E2C795B28DD106E13BEC8DE3845A64CB4B15056EBAC19E3F308479FE39DD8DAB8623DB7B27846F32F4FD1093B14AC9549E20214B48210243B7875E859BF33CDFF84BB15F5BDD475E03F08FA449FA0821E3974FCDEDF9230AE37BA9CD74DB364C7F5B2CC9E2F996A6DE3804F6C8122719DAA05EF9BB311B38D8296DCC2795B096C18764523473E2A313BE3287DD461F777A562EC39EC954A1D4210576DEE330F012A47DA615B379CCC7A6C70338C23BFB23137667BEF4D9E366121124C3F68619138C886A1CA676B09CF425582F4E769C9F5DEA04F4D399C72C40482C31BEC1281AC50C8A33D015A239C6FC74201235596267DC7A0C637E2D21740427643DEDC61278C16F9ED166C27099F1721836B4856CC4ED9ABDA4E092763BA16DE4A8912713182FCED8C401679554644ACFEC129D2C0C27FED94CB8182E492EA47EC8A04768F33CD4FB82F70957EEB90C4D8219B8AD9A642B49AAD08A3C35ED2819996B3AC51B94E298D0B792859DBEE64BAA9513652B32E5E5496A1BB18A171BDC9163B5E9563A1C443C3D1F4B9219BF5AF80EBB46A0139D680A29793CA3AF7339453E34BE11B08D0543E68DD77650BE115BE5FA2A2B0EE8AD5C327C637592FC406B862F98B6579EB26C5E711A8CDA81616E35F6E87291112339357CAA508DC9B71335C50956CE89601F87F951639CA3318067884E7366AEF70E4726EF967B191EDAB390605ADD6236A2047D7A6A01C58B4AC7465F8CA18B438B4C887D82DC5425EE623BCCDF3F3C6397C2035DC26E92970F3909DF6D24D9E14E3072F4FD1BF68652EA5A9DBC7F33A98666C8891AC63660CE7F4FBC8241E62247D80EBD99F53E101A30D67253E4335596200DF9DB11F1748A35E559BD25CC0080F125E8D8DD3FF5CDC09351BC363D07B1D282B711A5FEAF4327FA27DD81724 | |||
(PID) Process: | (3056) crabler.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3056) crabler.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3056) crabler.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\crabler_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3056) crabler.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\crabler_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3056) crabler.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\crabler_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3056) crabler.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\crabler_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3056) crabler.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\crabler_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3056 | crabler.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
3056 | crabler.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | — | |
MD5:— | SHA256:— | |||
3056 | crabler.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | — | |
MD5:— | SHA256:— | |||
3056 | crabler.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata | — | |
MD5:— | SHA256:— | |||
3056 | crabler.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl | — | |
MD5:— | SHA256:— | |||
3056 | crabler.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl | — | |
MD5:— | SHA256:— | |||
3056 | crabler.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Forms\PIORLJ-DECRYPT.txt | text | |
MD5:B9F8F4EFBC7A7413B8D68EEA18B991F8 | SHA256:469475331A9CBBFF47FE1BE143CDE7351A8B3B41C0BE01FCFB0C3FB0438D73D0 | |||
3056 | crabler.exe | C:\Users\admin\AppData\PIORLJ-DECRYPT.txt | text | |
MD5:B9F8F4EFBC7A7413B8D68EEA18B991F8 | SHA256:469475331A9CBBFF47FE1BE143CDE7351A8B3B41C0BE01FCFB0C3FB0438D73D0 | |||
3056 | crabler.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\PIORLJ-DECRYPT.txt | text | |
MD5:B9F8F4EFBC7A7413B8D68EEA18B991F8 | SHA256:469475331A9CBBFF47FE1BE143CDE7351A8B3B41C0BE01FCFB0C3FB0438D73D0 | |||
3056 | crabler.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.piorlj | binary | |
MD5:B1BD4474D79325271D661D4AD3B23ADE | SHA256:2F2802297F7D1AE4E8C5CB7A6F20FAA96228E95F9688E840C6509E760ABDF208 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3056 | crabler.exe | GET | — | 74.220.215.73:80 | http://www.bizziniinfissi.com/ | US | — | — | malicious |
3056 | crabler.exe | GET | — | 212.59.186.61:80 | http://www.hotelweisshorn.com/ | CH | — | — | malicious |
3056 | crabler.exe | GET | — | 192.185.159.253:80 | http://www.pizcam.com/ | US | — | — | malicious |
3056 | crabler.exe | GET | — | 138.201.162.99:80 | http://www.fliptray.biz/ | DE | — | — | malicious |
3056 | crabler.exe | GET | — | 217.26.53.161:80 | http://www.haargenau.biz/ | CH | — | — | malicious |
3056 | crabler.exe | POST | — | 217.26.53.161:80 | http://www.haargenau.biz/wp-content/image/soesdehe.gif | CH | — | — | malicious |
3056 | crabler.exe | GET | 301 | 83.138.82.107:80 | http://www.swisswellness.com/ | DE | — | — | whitelisted |
3056 | crabler.exe | GET | 301 | 83.166.138.7:80 | http://www.whitepod.com/ | CH | — | — | whitelisted |
3056 | crabler.exe | GET | 301 | 69.16.175.10:80 | http://www.hardrockhoteldavos.com/ | US | html | 158 b | whitelisted |
3056 | crabler.exe | GET | — | 104.24.22.22:80 | http://www.belvedere-locarno.com/ | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3056 | crabler.exe | 74.220.215.73:80 | www.bizziniinfissi.com | Unified Layer | US | malicious |
3056 | crabler.exe | 78.46.77.98:80 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
3056 | crabler.exe | 217.26.53.161:80 | www.haargenau.biz | Hostpoint AG | CH | malicious |
3056 | crabler.exe | 136.243.13.215:80 | www.holzbock.biz | Hetzner Online GmbH | DE | suspicious |
3056 | crabler.exe | 138.201.162.99:80 | www.fliptray.biz | Hetzner Online GmbH | DE | malicious |
3056 | crabler.exe | 83.138.82.107:443 | www.swisswellness.com | hostNET Medien GmbH | DE | suspicious |
3056 | crabler.exe | 83.138.82.107:80 | www.swisswellness.com | hostNET Medien GmbH | DE | suspicious |
3056 | crabler.exe | 138.201.162.99:443 | www.fliptray.biz | Hetzner Online GmbH | DE | malicious |
3056 | crabler.exe | 192.185.159.253:80 | www.pizcam.com | CyrusOne LLC | US | malicious |
3056 | crabler.exe | 217.26.53.37:80 | www.hrk-ramoz.com | Hostpoint AG | CH | malicious |
Domain | IP | Reputation |
---|---|---|
www.2mmotorsport.biz |
| unknown |
dns.msftncsi.com |
| shared |
www.haargenau.biz |
| unknown |
www.bizziniinfissi.com |
| malicious |
www.holzbock.biz |
| unknown |
www.fliptray.biz |
| malicious |
fliptray.biz |
| malicious |
www.pizcam.com |
| unknown |
www.swisswellness.com |
| whitelisted |
www.hotelweisshorn.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3056 | crabler.exe | A Network Trojan was detected | ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity |
3056 | crabler.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3056 | crabler.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab Ransomware HTTP |
3056 | crabler.exe | A Network Trojan was detected | ET POLICY Data POST to an image file (gif) |
3056 | crabler.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3056 | crabler.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab Ransomware HTTP |
3056 | crabler.exe | A Network Trojan was detected | ET POLICY Data POST to an image file (gif) |
3056 | crabler.exe | A Network Trojan was detected | ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity |
3056 | crabler.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3056 | crabler.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab Ransomware HTTP |