GandCrab ransomware: My letter just for you

Beware of a new Gandcrab campaign that has been unleashed, this new campaign uses the mail title subject ‘My letter just for you’.

The campaign tries to lure unaware users to download an .zip attachment, once the attachment has been downloaded and unpacked, an executable file will be made available. This executable is malicious, as once it is executed it will perform Gandcrab behavior on the device.

GandCrab is a Trojan horse that encrypts files on the compromised computer and demands a payment to decrypt them.

Indicators of compromise:

email-src [email protected]
email-src [email protected]
email-src-display-name Billie Gray
email-src-display-name Tasha Williams
email-subject My letter just for you
ip-src 3.175.111.5 
ip-src 185.129.93.28 
ip-src 195.127.5.255 
url http://92.63.197.48/v/kra.exe 
url http://92.63.197.48/v/t.php?new=1 
user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0

Additional information:

  • https://urlhaus.abuse.ch/url/59638/
  • https://www.hybrid-analysis.com/sample/d00717d709f7a5ac4584cd7f77ad89261dc55613a26f725467567b081bf902ff/5ba89e8d7ca3e103b7347d28
  • https://app.sndbox.com/sample/6a92bc04-6eef-4aa3-8281-c4402fc7b5df/static
  • https://www.virustotal.com/en/file/d00717d709f7a5ac4584cd7f77ad89261dc55613a26f725467567b081bf902ff/analysis/
  • https://www.virustotal.com/en/file/0ae2e156724c914cebc087a2eab5d166df15921c3db83e81cd63aef81047db87/analysis/
  • https://analyze.intezer.com/#/analyses/fbb068fb-f1dc-441f-adef-706b815b1345