Clop

Clop

• First seen: February 2019
• Aliases:Cl0p
• Samples:
  • 6d115ae4c32d01a073185df95d3441d51065340ead1eada0efda6975214d1920 | windows | ransom | pe
  • 70f42cc9fca43dc1fdfa584b37ecbc81761fb996cb358b6f569d734fa8cce4e3 | windows | ransom | pe

Clop Windows Payload

Basic Properties

Property	Value
Size	302656 bytes
CRC32	0x6254f2e0
MD5	ae5cb860f043caa84bf4e11cec758616
SHA1	ccd147cea99c1b2e15f193a761f7a5be8da850e8
SHA256	6d115ae4c32d01a073185df95d3441d51065340ead1eada0efda6975214d1920
SHA512	45a7b262fb214b20ee83e0b6a3b406c6cb13c2222602a0d86c82e763ee253fc2b9f535e6485d7478e37e17d89e77aba7ef7f4721f02fac63794d992e6ef5fc1e
Ssdeep	6144:9wDzkRya+PofDeVrQJJko/fuo+A8zlC8KKC9R34UQJQHV:4zkRMPo6dQJJjuo+5R4Ky
Magic	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Packer	PE: compiler: Microsoft Visual C/C++(6.0)[libcmt] PE: linker: Microsoft Linker(6.0)[EXE32,signed]
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)

Antivirus Scan

- Avast: Win32:DangerousSig [Trj]
- Avira: HEUR/AGEN.1046227
- Bitdefender: Gen:Variant.Mikey.107538
- Clamav: Win.Malware.Agent-9377601-0
- Comodo: Malware
- Drweb: Trojan.Encoder.30429
- Eset: Win32/Kryptik.GWKF
- Fsecure: Heuristic.HEUR/AGEN.1209934
- Kaspersky: HEUR:Trojan.Win32.Zenpak.vho
+ Mcafee: clean
- Sophos: Troj/Agent-BDME
- Symantec: Downloader
- Trendmicro: Ransom.Win32.CLOP.YNAL1
- Windefender: Ransom:Win32/Clop.GI!MSR

Clop Windows Payload

Basic Properties

Property	Value
Size	306752 bytes
CRC32	0xf3c8e29b
MD5	c26e4d681a6506eac09ee322862ab814
SHA1	08576e51a724bdc648c40e0dfe3c12a61e7517ca
SHA256	70f42cc9fca43dc1fdfa584b37ecbc81761fb996cb358b6f569d734fa8cce4e3
SHA512	a5398df2710ae2eb0c0df6508e18e59e5ef12443c27e1345ad1461018d34f6ae546ded666b436c35dc364a22d2a54f4a9dd0c781a564b91bd2db572c18c8146f
Ssdeep	6144:ddExzBw8QFezLnIVlXlTtwN2KL8GWtVSF1mVwROb/3Aq4LXx2+:ddEJBYwsVn+NlL8wr0DwqmJ
Magic	PE32 executable (GUI) Intel 80386, for MS Windows
Packer	PE: compiler: Microsoft Visual C/C++(6.0)[libcmt] PE: linker: Microsoft Linker(6.0)[EXE32,signed]
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)

Antivirus Scan

- Avast: Win32:DangerousSig [Trj]
- Avira: HEUR/AGEN.1046227
- Bitdefender: Gen:Variant.Babar.51228
- Clamav: Win.Malware.Agent-9377629-0
+ Comodo: clean
- Drweb: Trojan.Encoder.30425
- Eset: Win32/GenKryptik.EARA
- Fsecure: Heuristic.HEUR/AGEN.1209934
- Kaspersky: Trojan-Ransom.Win32.Encoder.gri
+ Mcafee: clean
- Sophos: Troj/Agent-BDME
- Symantec: Downloader
- Trendmicro: Ransom.Win32.CLOP.YAALZ
- Windefender: Trojan:Win32/CryptInject.PZ!MTB

References

• https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop
• https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html
• https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/