Summary

c2af3cb8b1d5a4e8c9ae3a431f414175f8909d69b9ce564c59a66a90a6a002fb.exe

File c2af3cb8b1d5a4e8c9ae3a431f414175f8909d69b9ce564c59a66a90a6a002fb.exe

Summary
Download Resubmit sample Download yara

Size 73.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a5655218287590517509767975a5dac1
SHA1 201e8e15883005d4fc544d8e382db4ad5fc19221
SHA256 c2af3cb8b1d5a4e8c9ae3a431f414175f8909d69b9ce564c59a66a90a6a002fb
SHA512
e2e0223f23f4c4e4271e51f1f551cd47702c66495ed7de12fe31f7e341966676c5c50c3666f39038fccc25ffc8e2b331f133e38270edffbd29a2705ec1c90676
CRC32 A416A84B
ssdeep None
Yara
  • Gandcrab - Gandcrab Payload
  • CrowdStrike_CSIT_18151_01 - This rule detects GandCrab ransomware once it is in an unpacked state.
  • network_http - Communications over HTTP
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

6549936

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE June 9, 2025, 1:56 p.m. June 9, 2025, 2:02 p.m. 387 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-06-09 10:27:13,030 [analyzer] DEBUG: Starting analyzer from: C:\tmpk4d6bl
2025-06-09 10:27:13,046 [analyzer] DEBUG: Pipe server name: \??\PIPE\GluZDsrrikEhVpkKQRtqUWgY
2025-06-09 10:27:13,046 [analyzer] DEBUG: Log pipe server name: \??\PIPE\jFqjiqUOILoTxxzsPogZvOBC
2025-06-09 10:27:13,375 [analyzer] DEBUG: Started auxiliary module Curtain
2025-06-09 10:27:13,375 [analyzer] DEBUG: Started auxiliary module DbgView
2025-06-09 10:27:13,858 [analyzer] DEBUG: Started auxiliary module Disguise
2025-06-09 10:27:14,092 [analyzer] DEBUG: Loaded monitor into process with pid 512
2025-06-09 10:27:14,092 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-06-09 10:27:14,092 [analyzer] DEBUG: Started auxiliary module Human
2025-06-09 10:27:14,092 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-06-09 10:27:14,092 [analyzer] DEBUG: Started auxiliary module Reboot
2025-06-09 10:27:14,171 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-06-09 10:27:14,171 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-06-09 10:27:14,171 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-06-09 10:27:14,171 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-06-09 10:27:14,328 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\c2af3cb8b1d5a4e8c9ae3a431f414175f8909d69b9ce564c59a66a90a6a002fb.exe' with arguments '' and pid 2728
2025-06-09 10:27:14,562 [analyzer] DEBUG: Loaded monitor into process with pid 2728
2025-06-09 10:27:14,890 [analyzer] INFO: Added new file to list with pid 2728 and path C:\Users\Administrator\AppData\Roaming\Microsoft\fohbyc.exe
2025-06-09 10:27:17,640 [analyzer] INFO: Injected into process with pid 1364 and name u'nslookup.exe'
2025-06-09 10:27:17,905 [analyzer] DEBUG: Loaded monitor into process with pid 1364
2025-06-09 10:27:20,328 [analyzer] INFO: Process with pid 1364 has terminated
2025-06-09 13:00:36,440 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-06-09 13:00:37,394 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-06-09 13:00:37,394 [lib.api.process] INFO: Successfully terminated process with pid 2728.
2025-06-09 13:00:37,410 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-06-09 13:56:07,550 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:08,577 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:09,619 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:10,649 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:11,673 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:12,820 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:14,078 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:15,147 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:16,214 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:17,286 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:18,331 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:19,374 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:20,407 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:21,425 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:22,442 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:23,463 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:24,482 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:25,499 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:26,520 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:27,570 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:28,602 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:29,640 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:30,678 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:31,713 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:32,740 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:33,771 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:34,808 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:35,856 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:36,898 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:37,943 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:38,990 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:40,037 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:41,165 [cuckoo.core.scheduler] DEBUG: Task #6549164: no machine available yet
2025-06-09 13:56:42,223 [cuckoo.core.scheduler] INFO: Task #6549164: acquired machine win7x6422 (label=win7x6422)
2025-06-09 13:56:42,224 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.222 for task #6549164
2025-06-09 13:56:42,435 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 61368 (interface=vboxnet0, host=192.168.168.222)
2025-06-09 13:56:42,748 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6422
2025-06-09 13:56:43,105 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6422 to vmcloak
2025-06-09 13:58:28,527 [cuckoo.core.guest] INFO: Starting analysis #6549164 on guest (id=win7x6422, ip=192.168.168.222)
2025-06-09 13:58:29,533 [cuckoo.core.guest] DEBUG: win7x6422: not ready yet
2025-06-09 13:58:34,558 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6422, ip=192.168.168.222)
2025-06-09 13:58:34,653 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6422, ip=192.168.168.222, monitor=latest, size=6660546)
2025-06-09 13:58:36,088 [cuckoo.core.resultserver] DEBUG: Task #6549164: live log analysis.log initialized.
2025-06-09 13:58:37,124 [cuckoo.core.resultserver] DEBUG: Task #6549164 is sending a BSON stream
2025-06-09 13:58:37,562 [cuckoo.core.resultserver] DEBUG: Task #6549164 is sending a BSON stream
2025-06-09 13:58:38,374 [cuckoo.core.resultserver] DEBUG: Task #6549164: File upload for 'shots/0001.jpg'
2025-06-09 13:58:38,393 [cuckoo.core.resultserver] DEBUG: Task #6549164 uploaded file length: 133491
2025-06-09 13:58:40,908 [cuckoo.core.resultserver] DEBUG: Task #6549164 is sending a BSON stream
2025-06-09 13:58:50,589 [cuckoo.core.guest] DEBUG: win7x6422: analysis #6549164 still processing
2025-06-09 13:59:05,710 [cuckoo.core.guest] DEBUG: win7x6422: analysis #6549164 still processing
2025-06-09 13:59:20,838 [cuckoo.core.guest] DEBUG: win7x6422: analysis #6549164 still processing
2025-06-09 13:59:35,936 [cuckoo.core.guest] DEBUG: win7x6422: analysis #6549164 still processing
2025-06-09 13:59:51,134 [cuckoo.core.guest] DEBUG: win7x6422: analysis #6549164 still processing
2025-06-09 14:00:06,422 [cuckoo.core.guest] DEBUG: win7x6422: analysis #6549164 still processing
2025-06-09 14:00:21,537 [cuckoo.core.guest] DEBUG: win7x6422: analysis #6549164 still processing
2025-06-09 14:00:36,622 [cuckoo.core.guest] DEBUG: win7x6422: analysis #6549164 still processing
2025-06-09 14:00:36,634 [cuckoo.core.resultserver] DEBUG: Task #6549164: File upload for 'curtain/1749466836.63.curtain.log'
2025-06-09 14:00:36,637 [cuckoo.core.resultserver] DEBUG: Task #6549164 uploaded file length: 36
2025-06-09 14:00:37,201 [cuckoo.core.resultserver] DEBUG: Task #6549164: File upload for 'sysmon/1749466837.19.sysmon.xml'
2025-06-09 14:00:37,406 [cuckoo.core.resultserver] DEBUG: Task #6549164 uploaded file length: 7586792
2025-06-09 14:00:37,424 [cuckoo.core.resultserver] DEBUG: Task #6549164: File upload for 'files/53997ac8a46f745d_fohbyc.exe'
2025-06-09 14:00:37,433 [cuckoo.core.resultserver] DEBUG: Task #6549164 uploaded file length: 75264
2025-06-09 14:00:37,435 [cuckoo.core.resultserver] DEBUG: Task #6549164 had connection reset for <Context for LOG>
2025-06-09 14:00:39,656 [cuckoo.core.guest] INFO: win7x6422: analysis completed successfully
2025-06-09 14:00:39,680 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-06-09 14:00:39,708 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-06-09 14:00:40,381 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6422 to path /srv/cuckoo/cwd/storage/analyses/6549164/memory.dmp
2025-06-09 14:00:40,387 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6422
2025-06-09 14:02:33,363 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.222 for task #6549164
2025-06-09 14:02:34,640 [cuckoo.core.scheduler] DEBUG: Released database task #6549164
2025-06-09 14:02:34,669 [cuckoo.core.scheduler] INFO: Task #6549164: analysis procedure completed

Signatures

Yara rules detected for file (6 events)
description Gandcrab Payload rule Gandcrab
description This rule detects GandCrab ransomware once it is in an unpacked state. rule CrowdStrike_CSIT_18151_01
description Communications over HTTP rule network_http
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect private profile rule win_files_operation
Allocates read-write-execute memory (usually to unpack itself) (15 events)
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00810000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00800000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ef0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00f00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 98304
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ef0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x011e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01250000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01200000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Queries for the computername (1 event)
Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: RTDRUOBVHNBTXI
1 1 0
Uses Windows APIs to generate a cryptographic key (3 events)
Time & API Arguments Status Return Repeated

CryptGenKey

 crypto_handle: 0x006c6bf8
algorithm_identifier: 0x0000a400 (CALG_RSA_KEYX)
flags: 134217729
key:
provider_handle: 0x006c4278
1 1 0

CryptExportKey

 buffer: ¤RSA1‡…ÁÖRyã/°°ŸÐPç÷k„¯_-ß©F[éC{Ùö¤~n7»’ ÊogV° ²â9"Ÿ-ébâ°¶"2PŒ&¼7:DGtS6¢ø‰#{|nœþýɔÿîpÊh£Èžðâ˜õ2¿ ^ÂìNZMŽ^DŠ¸K*vßâÅC`cÏØJySwpS£3ɺÿï;ž&L‚.ôJå²D©žÖʦð A:êwÓ#ß`GÑ(oAïWì$Ãy¹H* ¨9ÈŸ Ÿl$“ÔÒ½~£ß˜Âzô¨~¦tZK»Äe·!à7†kW椭o~m»ˆß±;|ËRZÓmè~ÜQÌ
crypto_handle: 0x006c6bf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: ¤RSA2‡…ÁÖRyã/°°ŸÐPç÷k„¯_-ß©F[éC{Ùö¤~n7»’ ÊogV° ²â9"Ÿ-ébâ°¶"2PŒ&¼7:DGtS6¢ø‰#{|nœþýɔÿîpÊh£Èžðâ˜õ2¿ ^ÂìNZMŽ^DŠ¸K*vßâÅC`cÏØJySwpS£3ɺÿï;ž&L‚.ôJå²D©žÖʦð A:êwÓ#ß`GÑ(oAïWì$Ãy¹H* ¨9ÈŸ Ÿl$“ÔÒ½~£ß˜Âzô¨~¦tZK»Äe·!à7†kW椭o~m»ˆß±;|ËRZÓmè~ÜQÌa‹—ˆþOôÖ ¢<|– É=è:OGž«¶žU¢2rºþB3s›|-!¹>A’7¾Wù›:Јù[‰ž¹·€fÊÅ£®Pâ_ŸMFµâèЪæ÷eNåüӿɑpþãtP”©'^i†Š,ON¨jì«0͗êò”X á}=¯“;‘>ðçai¸y­ÔrHz±u¯Ð«Šsõ´ < 6JûM}ϕ|-ÚPCž®¦_™8‰G:Àÿ <ÛŒ‘‚Ümg¯ìƱÆÖƒ†»¦òRW[á՘µyÔw"¼Ü½V_¼ tût¶kNGŒAÚ-)Q– Wð(¸ÙÁ‡?$ñØ#°Œ›)Îv­óKŽ`N‘©Ë]tFX¤ï`óîC×»³Z`S_aªt[ëÕ!dGÌçS¡bM!¨û|åõéÅUuñBUwu~Jióþ‘;ýä­ðR2C¹qÝýóaF  5ÍVî@†et|s“Oö}&ûjŽóß« „ÝrŸQs!Ý`N'õ4%_}sº6œ•dþôôªÓ=¿ýDu—QµéÄ ^ÏàyCÕï¬c¯Ú ùúä™,NúT‡ dI@œ¨ÒpgÛŒØtºËÛäÐàsf©]eÍ© !¥Ö±]yÀTó’=} jÆg°®dj2ҍ:2r%[ÿ\èM’ÕH|4F½dŽœ–šjµ;‡S½G³3à:úO•ùÀ;³¾–V2|ÚR5JkV÷K7¯ŽºŒW—Z®æ1 kDÔÊ |÷¨a/Fž¿ q\“gx§d\™Há!Ä«7}ÏNìíq­VNCÁóR{hú=”¥IXŠõ**DÖ*bб¼¼ ³Pòà$vWÏ2I~ZB&ى—Ãœ´wâä|pËo?ýõ}²z-88#®Þ+›nímÓwú&d²UʯM™ÙN 0=xEvvÜN[ûݳè7îû 0w‡‰Ô~Û[xIŽšSZ‡d×Õ}"®šéÖþgʆE;IõaÞ".®Ÿ­ºA‚•}u^ðu/r廁 ók;üëcË7®xWqä¬=W~Ú呾«í“™×ª®ùàCNU£‰>–эM<ʗ>Т.XûÏ3¥ˆj·AìlŸ pÄqt§ÔEH
crypto_handle: 0x006c6bf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 60083798
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 67031551
1 1 0
Creates executable files on the filesystem (1 event)
file C:\Users\Administrator\AppData\Roaming\Microsoft\fohbyc.exe
Drops an executable to the user AppData folder (1 event)
file C:\Users\Administrator\AppData\Roaming\Microsoft\fohbyc.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000008c
process_name: taskhost.exe
process_identifier: 1212
1 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 event)
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 46
family: 0
1 0 0
Uses Windows utilities for basic Windows functionality (2 events)
cmdline nslookup nomoreransom.bit dns1.soprodns.ru
cmdline nslookup emsisoft.bit dns1.soprodns.ru
Raised Snort alerts (2 events)
snort ET INFO External IP Lookup Domain in DNS Lookup (whatismyipaddress .com)
snort ET INFO DNS Query Domain .bit
Raised Suricata alerts (4 events)
suricata ET INFO External IP Lookup Domain in DNS Lookup (whatismyipaddress .com)
suricata ETPRO MALWARE GandCrab DNS Lookup 1
suricata ET INFO DNS Query Domain .bit
suricata ETPRO MALWARE GandCrab DNS Lookup 3
Checks the CPU name from registry, possibly for anti-virtualization (1 event)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Installs itself for autorun at Windows startup (1 event)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\fpehkmgzegz reg_value "C:\Users\Administrator\AppData\Roaming\Microsoft\fohbyc.exe"
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (10 events)
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x0000030c
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x0000030c
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: lãŸ:BÙÛ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x0000030c
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecision
1 0 0

RegSetValueExW

 key_handle: 0x0000030c
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
value: Network
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadNetworkName
1 0 0

RegSetValueExW

 key_handle: 0x00000308
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x00000308
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: lãŸ:BÙÛ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x00000308
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
1 0 0

RegSetValueExW

 key_handle: 0x00000308
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x00000308
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: lãŸ:BÙÛ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x00000308
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
1 0 0
File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)
G Data Antivirus (Windows) Virus: Generic.Ransom.GandCrab.E6015A93 (Engine A), Win32.Trojan-Ransom.GandCrab.D (Engine B)
Avast Core Security (Linux) Win32:MalwareX-gen [Ransom]
C4S ClamAV (Linux) Win.Ransomware.Gandcrab-6667060-0
Trellix (Linux) GenericRXDY-EJ
WithSecure (Linux) Trojan.TR/FileCoder.oytet
eScan Antivirus (Linux) Generic.Ransom.GandCrab.E6015A93(DB)
ESET Security (Windows) Win32/Filecoder.GandCrab.B trojan
Sophos Anti-Virus (Linux) Troj/GandCrab-A
DrWeb Antivirus (Linux) Trojan.Encoder.27154
ClamAV (Linux) Win.Ransomware.Gandcrab-6667060-0
Bitdefender Antivirus (Linux) Generic.Ransom.GandCrab.E6015A93
Kaspersky Standard (Windows) Trojan-Ransom.Win32.GandCrypt.jes
Emsisoft Commandline Scanner (Windows) Trojan.Agent (A)
File has been identified by 70 AntiVirus engines on VirusTotal as malicious (50 out of 70 events)
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Generic.4!c
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.Mauvaise.SL1
Skyhigh BehavesLike.Win32.Generic.lh
ALYac Generic.Ransom.GandCrab.E6015A93
Cylance Unsafe
VIPRE Generic.Ransom.GandCrab.E6015A93
Sangfor Ransom.Win32.Gandcrab_1.se
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Generic.Ransom.GandCrab.E6015A93
K7GW Trojan ( 005261921 )
K7AntiVirus Ransomware ( 0053d33d1 )
Arcabit Generic.Ransom.GandCrab.E6015A93
VirIT Trojan.Win32.Encoder.BKBW
Symantec Ransom.GandCrab
Elastic Windows.Generic.Threat
ESET-NOD32 Win32/Filecoder.GandCrab.B
APEX Malicious
Avast Win32:RansomX-gen [Ransom]
ClamAV Win.Ransomware.Gandcrab-6667060-0
Kaspersky Trojan-Ransom.Win32.GandCrypt.jes
Alibaba Ransom:Win32/GandCrab.df2912b8
NANO-Antivirus Trojan.Win32.Encoder.eykzmb
SUPERAntiSpyware Ransom.GandCrab/Variant
MicroWorld-eScan Generic.Ransom.GandCrab.E6015A93
Rising Ransom.GandCrab!1.B8D6 (CLASSIC)
Emsisoft Trojan.Agent (A)
F-Secure Trojan.TR/FileCoder.oytet
DrWeb Trojan.Encoder.27154
Zillya Trojan.Filecoder.Win32.7193
TrendMicro Ransom_GANDCRAB.SMALY-4
McAfeeD Real Protect-LS!A56552182875
Trapmine malicious.high.ml.score
CTX exe.ransomware.gandcrab
Sophos Troj/GandCrab-A
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.a565521828759051
Jiangmin Trojan.Generic.bzloj
Webroot W32.Trojan.Gen
Google Detected
Avira TR/FileCoder.oytet
Antiy-AVL Trojan/Win32.AGeneric
Kingsoft malware.kb.a.1000
Gridinsoft Ransom.Win32.STOP.dd!se28373
Xcitium TrojWare.Win32.Ransom.GandCrab.B@7kn2ff
Microsoft Ransom:Win32/GandCrab!pz
ViRobot Trojan.Win32.GandCrab.75264
ZoneAlarm Trojan-Ransom.Win32.GandCrypt.jes
GData Win32.Trojan-Ransom.GandCrab.D
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.