{
	"id": "0c2e20b1-5aee-47d3-b01c-b8965a39792c",
	"created_at": "2026-04-06T00:21:10.773931Z",
	"updated_at": "2026-04-10T03:21:08.543489Z",
	"deleted_at": null,
	"sha1_hash": "5316b30cba9a7148133e7683db344d2404add87b",
	"title": "R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The Eye'",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 544628,
	"plain_text": "R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The\r\nEye'\r\nPublished: 2018-11-08 · Archived: 2026-04-05 15:05:39 UTC\r\nGandCrab is one of the known ransomware in the wild that keeps on updating, Actually in past few days security researchers\r\nfound out that a new version was released. While analyzing this file, the malware artifacts that download the said new\r\nversion of GandCrab shown by great security website malware-traffic-analysis  catches my interest. So I unpacked the code\r\nand analyze it and interestingly it is not only a downloader but also contain some \"anti Sanbox/VM technique\" function,\r\nbypassing firewall and Windows Defender, embedding itself to rar archive files, worm capabilities via removable drives and\r\nmany more. So lets dig more to its code... :)\r\nChecking Sandbox and Virtual Machine Process and Module Names:\r\nThis  Malware Downloader can checks whether  its file is running in a sandbox or virtual machine, by checking 16 process\r\nname hard coded to its code. (interestingly it includes \"python.exe\" to its checking, since python is known common scripting\r\ntools used in malware sandbox :) ). If one of those process was found in infected machine it will end its process by call\r\nExitProcess API.\r\nfig. 1 - SandBox/VM ProcessName it checks\r\nhttps://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nPage 1 of 10\n\nfig. 2 - Enumerating Running Process\r\nIt also checks some modules or module exported API to detect sandbox environment. example it checks if \"kernel32.dll\"\r\ncontains \"wine_get_unix_file_name\" exported API, because this export function is common in wine software designed for\r\nexecuting windows application in unix which is common in some linux base malware sandbox. if this exported api found,\r\nexit the process\r\nfig. 3 - checking the \"wine_get_unix_file_name\" API\r\nIt can also check sandboxie or sysanalyzer environment by checking some modules in the infected machine. By using\r\nGetModuleHandle API to check whether the API is available. If the API returns handle then it means that its code is running\r\nin the said environment then it will exit the process.\r\nfig. 4 - sandbox modules\r\nhttps://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nPage 2 of 10\n\nfig. 5 - for loop in checking sandbox modules\r\nIt also CreateMutex Name \"75969590\" to make sure only one instance of its code is running in the system.\r\ncreate %regrun% key to persist on the infected machine.\r\n\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\"\r\n\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\"\r\nBypassing Firewall and Windows Defender Anti-Virus:\r\nThis GandCrab component bypassed the firewall by adding the path of copy of itself \r\n\"%windir%\\T80870405687060\\winsvcs.exe\" with hidden attribute to the\r\n\"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\L\r\nThen to bypass Windows Defender and disable system restore, it tries to enable some registry entry that disable some\r\nfeatures of the said AV including system restore disabling:\r\nfig. 6 - bypassing Windows Defender and disabling system restore\r\nhttps://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nPage 3 of 10\n\nDeleting Download Meta-Information finger print:\r\nIt will delete the \"\u003cmalware-process.exe\u003e\"zone.identifier\"ADS, which is the meta-information to track that the file is\r\ndownloaded from internet.\r\nfig. 7 - deleting zone.identifier meta-information\r\nPropagation Via Removable Drive:\r\nAfter Bypassing Windows Defender, it will execute 3 separate Threads. The first Thread is responsible for propagating via\r\nremovable drives.The thread contain an infinite while loop that looking for removable drive that may attach to the infected\r\nmachine but not \"A:\\\" or \"B:\\\" with 1 second sleep.\r\nfig. 8 - Worm propagation through removable drives\r\nIf removable drives was found during this scan it will call the function that will do the actual worm propagation. The said\r\nfunction will create a \".lnk\" with map drive icon that are pointing to another copy of itself \"DeviceManager.exe\" place to the\r\nnew directory \"_\" it creates in hidden attribute. this technique may lure the user to click the .lnk file that looks like map drive\r\nhttps://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nPage 4 of 10\n\nto execute its code, aside from that it also create autorun.inf that execute the said copy of itself upon opening the removable\r\ndrive.\r\nfig. 9 - worm component\r\nfig. 10 - building the fake .lnk and the autorun.inf file \\\r\nhttps://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nPage 5 of 10\n\nfig. 11 - the fake .lnk file: %windir%\\system32\\cmd.exe /c start _ \u0026 _\\DeviceManager.exe \u0026 exit\r\nit also tries to delete the following type of files exist on the removable drive.\r\nfig. 12 - deleting some file types in removable drive.\r\nEmbedding itself to the RAR Archived file:\r\nhttps://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nPage 6 of 10\n\nAnother interesting stuff is in the 2nd thread, where it creates another copy of itself in %temp% folder name as \"Windows\r\nArchive Manager.exe\" then look for a Rar archived files within infected machine to embed the copy of itself to it, namely as\r\n\"Windows Archive Manager.exe\".\r\nfig. 13 - finding archive files with Rar! file header.\r\n After letting the bait .rar file I created to be modified, you can notice right away that the size is got bigger and the copy of\r\nitself in %temp% is embed to the archive file. I tried to extract the modified archive file and I got some error but I still able\r\nto extract the original file in archive. maybe there is a specific rar file version to make this archive embedding technique\r\nworks or malware author missed something in the rar header. (I will try to look more to this interesting stuff :) )\r\nhttps://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nPage 7 of 10\n\nfig. 15 - the modified Rar Archive file.\r\nfig. 16 - error in extracting but the original one is recoverable\r\nDownloading GandCrab Ransomware:\r\nAnd of course the last thread is dealing with downloading new version of GandCrab ransomware name as \"t.exe\" with the\r\nfollowing specific user agent.\r\nhttps://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nPage 8 of 10\n\nfig. 17 - downloading new version of GandCrab ransomware.\r\nConclusion:\r\nKnown malware keep using other modules and component to do their evil stuff, to make the analysis more hard and to hide\r\nthe big picture of the infection from the security analyst or security researcher. Sometimes malware components that looks\r\ntoo simple or linear, may contains bunch of interesting stuff to look for.\r\nIOC:\r\nFilename: %windir%\\T80870405687060\\winsvcs.exe\r\nSha1:3edfed5f75e4c64d914787c14273acaf70009d11\r\nmd5: 77ab057031aed055f40dbcd22c8eeb47\r\nSha256: 796a87b9905c52ff7d1da91f2ff980b5dfdb9437a09624ccb4e6d8fe470ea666\r\nFilesize:  156 KB (159,744 bytes)\r\nunpack version\r\nSha1: 7b348fa38931e8313e2ba621c07bf6085e6770eb\r\nmd5: b464576150cd921b6f9cbd01923392b1\r\nSha256: 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4\r\nCopy of itself filename:\r\n%windir%\\T80870405687060\\winsvcs.exe\r\n%Temp%\\Windows Archive Manager.exe\r\n%removable_drive%\\_\\DeviceManager.exe\r\nworm component:\r\n%removable_drive%\\autorun.inf\r\n%removable_drive\\_ (directory '_' )\r\n%removable_drive\\.lnk\r\nhttps://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nPage 9 of 10\n\nuser agent:\r\n\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\"\r\nothers:\r\n%appdata%\\winsvcs.txt\r\nurl:\r\n\"hxxp://92.63.197.48/vnc/\"\r\n\"hxxp://92.63.197.60/vnc/\"\r\nautostart registry:\r\nHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\r\nHKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\r\nYara Rule:\r\nimport \"pe\"\r\nrule gandcrab_win32_downloader_unpack {\r\n    meta:\r\n        author =  \"tccontre\"\r\n        description = \"detecting gandcrab downloader\"\r\n        date =  \"2018-11-08\"\r\n        sha256 = \"7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4\"\r\n        strings:\r\n        $mz = { 4d 5a }\r\n                $s1 = \"open=_\\\\DeviceManager.exe\" fullword\r\n        $s2 = \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\" fullword\r\n                $c0 = \"DisableAntiSpyware\" fullword wide\r\n        $c1 = \"DisableBehaviorMonitoring\" fullword wide\r\n        $c2 = \"FirewallDisableNotify\" fullword wide\r\n        $c3 = \"ls\\\\T80870405687060\" fullword\r\n        $c4 = \"Recycle.Bin\" fullword wide\r\n        $c5 = \"autorun.inf\" fullword wide\r\n                        $code1 = { 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 }\r\n        $code2 = { D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB }\r\n                     condition:\r\n        ($mz at 0) and all of ($s*) and 2 of ($c*) and 1 of ($code*)\r\n            }\r\nhttps://www.virustotal.com/#/file/796a87b9905c52ff7d1da91f2ff980b5dfdb9437a09624ccb4e6d8fe470ea666/detection\r\nSource: https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nhttps://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html"
	],
	"report_names": [
		"re-gandcrab-downloader-theres-more-to.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434870,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5316b30cba9a7148133e7683db344d2404add87b.pdf",
		"text": "https://archive.orkl.eu/5316b30cba9a7148133e7683db344d2404add87b.txt",
		"img": "https://archive.orkl.eu/5316b30cba9a7148133e7683db344d2404add87b.jpg"
	}
}