- First seen: January 2018
- Aliases:
- Samples:
- 249da7bff682f9f55a5d014e76c13382c54c1dec2572c3c2fdc8eeaeb06b1949 | windows | ransom | pe
- 000012ae3fb8e37f67607369161eb028f6237b7c1047fb53197ccb8505e01d50 | windows | ransom | pe
- 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f | windows | ransom | pe
- 0b193494ffbbc5396886715253582aea075f97f5c5e79b58de9a4c0c62ed9b02 | windows | ransom | pe
- ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23 | windows | ransom | pe
- d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0 | windows | ransom | pe
| Property | Value |
|---|---|
| Size | 182784 bytes |
| CRC32 | 0xa89a8793 |
| MD5 | 07ff7f16df64903675c55d508640c840 |
| SHA1 | 2b36ff896470e1ef50f37fd7a0974079b3ca9f3b |
| SHA256 | 249da7bff682f9f55a5d014e76c13382c54c1dec2572c3c2fdc8eeaeb06b1949 |
| SHA512 | 34465cf46dd177f7e4b3749fc7c67ef0df97abf9c87043c361c2a2c59aa7d239ba6411daec28b0b71cb644c5a16311454b6a36aa9f2b9b5bcb64c4a952990b55 |
| Ssdeep | 3072:qml+DFVdsRvzdCO2+veaDe4t1plZ+bcK/9yVte0BsIeEaGMHReVPJP7bY:LlEHdsNV2Vain/9Ug0BsHEaG3S |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2015 v.14.0)[-] PE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE32] |
| TrID | 30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9) |
- Avast: Win32:RansomX-gen [Ransom]
- Avira: TR/Redcap.btrfw
- Bitdefender: Trojan.GenericKDZ.96693
- Clamav: Win.Packer.Crypter-6539596-1
- Comodo: TrojWare.Win32.Ransom.GandCrab.A
- Drweb: Trojan.Encoder.24456
- Eset: Win32/Kryptik.GCRY
- Fsecure: Trojan.TR/Redcap.btrfw
+ Kaspersky: clean
+ Mcafee: clean
- Sophos: Mal/Kryptik-BM
- Symantec: Ransom.GandCrab
- Trendmicro: Ransom_HPGANDCRAB.SMG2
- Windefender: Trojan:Win32/Tofsee.PVJ!MTB| Property | Value |
|---|---|
| Size | 264206 bytes |
| CRC32 | 0xb073b66e |
| MD5 | 80ab445fe2d5d20fc5373b2e3b3a289f |
| SHA1 | bfc23d06a634263e3b6b57f89f3e4a2dac868293 |
| SHA256 | 000012ae3fb8e37f67607369161eb028f6237b7c1047fb53197ccb8505e01d50 |
| SHA512 | f930f6e585c0ee5cf60a33864592b74676442388aa2edc6c93a7e0c2429b66579f87d6098f0954511eef58d114616670b45048f7c44f29798bef776c21787b93 |
| Ssdeep | 3072:nn+fE7DdqU+yWT4W4YBNHquVRI8r9Ntf+b5xBqNoa3jGN+kbiGcZSWv:nn17Ddxti7FFlHmF184ioWv |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2010)[libcmt] PE: linker: Microsoft Linker(10.0)[EXE32] |
| TrID | 30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9) |
- Avast: Win32:Evo-gen [Trj]
- Avira: TR/Dropper.Gen
- Bitdefender: Trojan.GenericKDZ.70159
- Clamav: Win.Ransomware.Gandcrab-6985696-1
- Comodo: TrojWare.Win32.Magniber.A
- Drweb: Trojan.Encoder.24384
- Eset: Win32/Filecoder.GandCrab.B
- Fsecure: Trojan.TR/Dropper.Gen
+ Kaspersky: clean
+ Mcafee: clean
- Sophos: Mal/Agent-AUL
- Symantec: Ransom.GandCrab
- Trendmicro: Ransom_GANDCRAB.SMALY-3
- Windefender: Ransom:Win32/Gandcrab.SF!MTB| Property | Value |
|---|---|
| Size | 261128 bytes |
| CRC32 | 0xf08e8243 |
| MD5 | 368a8f05fa7be1fcc24f445c444acb30 |
| SHA1 | 909bee1d1a19f2ea43ba38e826d49c0e7cf958b3 |
| SHA256 | 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f |
| SHA512 | fc24030c4f78e3af1d8ed38c88baf78db07826afea0f90ae36fb853cd1f362e41ebd5fa331f8c467efd332b57f4b96fdbacc9bb7714a49cf8277db2ddd4493fb |
| Ssdeep | 3072:pyR64m3uiNEib+3NlcpX0XEtnvJzfQcHa8fiLtPy0AV5ODgnVqTLA4OmsWF:AH6Gh3vK0XEtJDHhfyylODgnMo4nsM |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2010)[libcmt] PE: linker: Microsoft Linker(10.0)[EXE32] |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
- Avast: Win32:Evo-gen [Trj]
- Avira: HEUR/AGEN.1031796
- Bitdefender: Trojan.Ransom.GandCrab.Gen.2
- Clamav: Win.Trojan.Agent-6520562-0
- Comodo: TrojWare.Win32.GandCrab.D
- Drweb: Trojan.Encoder.24384
- Eset: Win32/Kryptik.GFTZ
- Fsecure: Heuristic.HEUR/AGEN.1319572
+ Kaspersky: clean
+ Mcafee: clean
- Sophos: Mal/GandCrab-B
- Symantec: Downloader
- Trendmicro: Ransom_HPGANDCRAB.SMG
- Windefender: Ransom:Win32/Gandcrab.SF!MTB| Property | Value |
|---|---|
| Size | 239625 bytes |
| CRC32 | 0x19cb3f37 |
| MD5 | f7c072a322cb0b4ce491307ddad466da |
| SHA1 | 2cac2760211ee91015ac22470ca59be7bf3ad685 |
| SHA256 | 0b193494ffbbc5396886715253582aea075f97f5c5e79b58de9a4c0c62ed9b02 |
| SHA512 | 8c40e406f24a37ee55a07d267d65d4f38dfee6a45558d8725edbf9ceb328451dbe554bde462e2e776c0ac9d24c0db494ac63c13b2819d344aed451e2d83955c8 |
| Ssdeep | 6144:xPDHV8MVXuFErxXmcC+eR+tLYidqkqMMC:xPD188Xu+F2+VYTkqMMC |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2008)[libcmt] PE: linker: Microsoft Linker(9.0)[EXE32] |
| TrID | 30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9) |
- Avast: Win32:Evo-gen [Trj]
- Avira: TR/GandCrab.twazv
- Bitdefender: Trojan.Ransom.GandCrab.Gen.2
- Clamav: Win.Packed.Gandcrab-6520432-4
- Comodo: TrojWare.Win32.Magniber.GH
- Drweb: Trojan.DownLoader26.42166
- Eset: Win32/Kryptik.GGGW
- Fsecure: Trojan.TR/GandCrab.twazv
+ Kaspersky: clean
+ Mcafee: clean
- Sophos: Mal/Agent-AUL
- Symantec: Trojan.Gen.2
- Trendmicro: Ransom_GANDCRAB.SMALY-5
- Windefender: Trojan:Win32/Gandcrab.AF| Property | Value |
|---|---|
| Size | 210432 bytes |
| CRC32 | 0x591f9828 |
| MD5 | 97a910c50171124f2cd8cfc7a4f2fa4f |
| SHA1 | 3737d782cb64fa92d2c42f3c2857ee2295dc8aa4 |
| SHA256 | ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23 |
| SHA512 | cb0d9eb3bdeeb533e258473187d6dc17515de7d790fbeb5238e4eb0aeeb793bca8bf1bcda4a1c384cd6a488155e90f08a9e82846a08958c4f53de4b5e57e8844 |
| Ssdeep | 3072:yoVWBSpJ7sCi98qJfvU0QLyBNWVYzmOvjqsRI0VuQMmesXJ+T:yoGWJCuqJ3UdmWYRTIoMHsA |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2010)[libcmt] PE: linker: Microsoft Linker(10.0*)[EXE32] |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
- Avast: Win32:MalwareX-gen [Trj]
- Avira: HEUR/AGEN.1034065
- Bitdefender: Trojan.Mint.Jamg.C
- Clamav: Win.Packer.Crypter-6614720-1
- Comodo: TrojWare.Win32.Ransom.GandCrab.GR
- Drweb: Trojan.Encoder.25655
+ Eset: clean
- Fsecure: Heuristic.HEUR/AGEN.1318126
+ Kaspersky: clean
+ Mcafee: clean
- Sophos: Troj/Ransom-EYW
- Symantec: Ransom.GandCrab
- Trendmicro: Ransom_GANDCRAB.THGOCAH
- Windefender: VirTool:Win32/Obfuscator.CAP| Property | Value |
|---|---|
| Size | 187392 bytes |
| CRC32 | 0xedf3e21c |
| MD5 | 07fadb006486953439ce0092651fd7a6 |
| SHA1 | e42431d37561cc695de03b85e8e99c9e31321742 |
| SHA256 | d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0 |
| SHA512 | 5b09a07371bb5350b22c78aa3e7e673ba61ce72a964e072749a4633e2c15f416c05953cc6e6f6c586df010aa7f2c9c0ab87a014e4f732e5fdb2d58778a1fb437 |
| Ssdeep | 3072:Ealy19emgKe0QuYS3UmWuDTEltI3S/7IarDrjCgrQp0M7W:EaqxxDwx/7IS40MS |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2013)[-] PE: linker: Microsoft Linker(12.0)[EXE32] |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
- Avast: Win32:RansomX-gen [Ransom]
- Avira: HEUR/AGEN.1036379
- Bitdefender: Generic.Ransom.GandCrab4.8CBC6992
- Clamav: Win.Ransomware.Gandcrab-9764464-0
- Comodo: Malware
- Drweb: Trojan.Encoder.24384
- Eset: Win32/Filecoder.GandCrab.D
- Fsecure: Heuristic.HEUR/AGEN.1358191
+ Kaspersky: clean
+ Mcafee: clean
- Sophos: Troj/Patched-BY
- Symantec: Ransom.GandCrab
- Trendmicro: Ransom_GANDCRAB.THAOOAAH
- Windefender: Ransom:Win32/GandCrab.AY- https://asec.ahnlab.com/ko/1091/
- https://asec.ahnlab.com/ko/1101/
- https://asec.ahnlab.com/ko/1130/
- https://asec.ahnlab.com/ko/1133/
- https://asec.ahnlab.com/ko/1145/
- https://www.acronis.com/en-sg/blog/posts/gandcrab/
- https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/
- https://www.bleepingcomputer.com/news/security/gandcrab-version-3-released-with-autorun-feature-and-desktop-background/
- https://www.bleepingcomputer.com/news/security/gandcrab-v4-released-with-the-new-krab-extension-for-encrypted-files/
- https://www.fortinet.com/blog/threat-research/gandcrab-2-1-ransomware-on-the-rise-with-new-spam-campaign
- https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire