REVERSING SESSIONS Hasherezade Crackme 2017 Solution - NOT is a malware file at hybrid-analysis, is a clear executable that uses tricks that AV detects as dangerous, ;) BadRabbit Vaccine using Mutex against BadRabbit (first version). MD5: 2468e5c5d2a678ade074a92c2897cd07 SHA1: 299998fd6acebbae314391b8a0a2f62a1103aeb2 - USE under your responsability, ;) Some AV can detect it as a malware because i use the same algorithm to calculate the hash. Anyways only download from here or check the MD5 or SHA1 hashes. Password: poisoncarrot Ordinypt Malware Report MD5: ced0f90e17557c0e58835810cfccfa18 SHA1: 5196d5204054fc7d72db7ab96004fe364d4422f7 RunningRat Report maked in only one day in a quick rush, ;) Have connection with the APT GoldenDragon. MD5: 7aa6c317b6ad69d2433474a414e4a529 SHA1: ccd27ad397df5e332386cf8cc63de06b1aaaf518 Have Yara rules to detect it in disk and memory and one IOC of Mandiant. My POC of exploit CVE-2017-11882 in PDF Format. Read inside from more information. MD5: c577d8afb2608abd37fa77743342ddc3 SHA1: 255c89759a75e74184c8dd6c432446b6d9b6e0ae - Thank you, :) My POC of exploit of Process Doppleganger from Blackhat from Ensilo. My POC works in 64bits, you need use in a 64bits system, the victim can be any file of 32 or 64 bits, but the bad file need be of 64bits. It is a problem with the PEB and WOW64 but with time i will try fix it. HASH MD5: 208d9be16804b8ab516b3c500a0e9fc4 HASH SHA-1: 579506f0e72101412ffe74bd6f8a78ca7c210f6b. Remember that CANT USE in Windows 10 or you will have a BSOD because a null pointer exception. The password of the file is infected. GandCrab v4.x Vaccine 64 bits using a mistake of design from GandCrab creators. Waiting for your new version dudes, ;) MD5: 4dcbfee78938ac40c2ed6ddead84478c SHA1: c1519e70c9d5cb0d7f8d63da82e03dc7b99321ed Before of use read the readme! USE under your responsability, ;) Some AV can detect it as suspicious for the code but it is clean and if you don´t believe me.. reverse it! Always download from here or check the MD5 or SHA1 hashes of the zip file. Password: Valthek GandCrab v4.x Vaccine 32 bits using a mistake of design from GandCrab creators. Waiting for your new version dudes, ;) MD5: 4948fd7c29d958cff6ca53e09bc0ac04 SHA1: 190512001815ab06e4024d84a971b80e0f1e7e48 Before of use read the readme! USE under your responsability, ;) Some AV can detect it as suspicious for the code but it is clean and if you don´t believe me.. reverse it! Always download from here or check the MD5 or SHA1 hashes of the zip file. Password: Valthek GandCrab v4.x and 5.x(?) Vaccine 32 bits using a mistake of design from GandCrab creators. Waiting for your new version dudes, and please that works in XP, :P XPSPRINT.DLL don´t exists in Windows less of Windows 7, ;). Nice copy & paste exploit. MD5: e4b0205571262648100cdf29037077c6 SHA1: 1e9086426803dfe975b5ab9840732d74eacaf468 Before of use read the readme! USE under your responsability, ;) Some AV can detect it as suspicious for the code but it is clean and if you don´t believe me.. reverse it! Always download from here or check the MD5 or SHA1 hashes of the zip file. This version install the vaccine and install the own vaccine with persistence and remove if needed the GandCrab new wallpaper and put a empty wallpaper. DONT´T WORK STARTING WITH THE VERSION OF GANDCRAB 5.2 OF COMPILED TIME 22/2/2019! Password: Valthek GandCrab v4.x Vaccine 64 bits using a mistake of design from GandCrab creators. Waiting for your new version dudes, ;) MD5: 2bd9e310ecdbdb3c6c7b3030bd5ad08e SHA1: 2f5d7e78640cf08073ed07908de3e42a187defa5 Before of use read the readme! USE under your responsability, ;) Some AV can detect it as suspicious for the code but it is clean and if you don´t believe me.. reverse it! Always download from here or check the MD5 or SHA1 hashes of the zip file. This version don´t have any persistence in the system, only put the vaccine and make a backup if is needed. DONT´T WORK STARTING WITH THE VERSION OF GANDCRAB 5.2 OF COMPILED TIME 22/2/2019! Password: Valthek GandCrab v4.x Vaccine 32 bits using a mistake of design from GandCrab creators. Waiting for your new version dudes, ;) MD5: a5ab8d35d23d87d0b7cd6222ee089202 SHA1: 1e3fbe503720ffcff6defb32225c6b7bfd5d1a1a Before of use read the readme! USE under your responsability, ;) Some AV can detect it as suspicious for the code but it is clean and if you don´t believe me.. reverse it! Always download from here or check the MD5 or SHA1 hashes of the zip file. This version don´t have any persistence in the system, only put the vaccine and make a backup if is needed. DONT´T WORK STARTING WITH THE VERSION OF GANDCRAB 5.2 OF COMPILED TIME 22/2/2019! Password: Valthek GandCrab v4.x and 5.x(?) Vaccine 32 bits using a mistake of design from GandCrab creators. Waiting for your new version dudes and please that works in XP, :P XPSPRINT.DLL don´t exists in Windows less of Windows 7, ;) Nice copy & paste exploit. DONT´T WORK STARTING WITH THE VERSION OF GANDCRAB 5.2 OF COMPILED TIME 22/2/2019! MD5: aae2b5d8bde4f774870405cfd302aac8 SHA1: 1870b923bdb260c750f03db164e7fae3a29ce6eb Before of use read the readme! USE under your responsability, ;) Some AV can detect it as suspicious for the code but it is clean and if you don´t believe me.. reverse it! Always download from here or check the MD5 or SHA1 hashes of the zip file. This version don´t have any persistence in the system, only put the vaccine and make a backup if is needed and remove the new GandCrab wallpaper if needed from the disk and set a empty desktop wallpaper. Password: Valthek GandCrab 5.1 version with compiled time 29/01/2019, 16/02/2019 and 19/02/2019 only!). DONT´T WORK STARTING WITH THE VERSION OF GANDCRAB 5.2 OF COMPILED TIME 22/2/2019! SHA1: 8f7480aaa9c3f0c264508fef1a3a033763dbb8aa SHA256: f2b60dd0cbba43c2ba5f4e7deb7d872ae8b0f89f66677aa6a926e708320ebb08 Thanks to the string that the GandCrab gang put in the start of the ransomware code this vaccine can avoid that the malware crypt the files, change the wallpaper, etc. Need be run AS ADMIN always to protect the system correctly!. Put in your startup folder if you want persistence. Tested in Windows XP, 7 and 10. It is a 32bits version to give more support. Use under your responsibility. Password: Valthek GandCrab 5.2 (from 21/2/2019 to ????) Vaccine 32 bits but will works in 64 bits without problem Put in your startup folder to this execute in each boot to get persistence. IT IS IMPORTANT and if can be run as admin better!! USE UNDER YOUR RESPONSABILITY! I DONT WILL TAKE ANY RESPONSABILITY OF THIS, THIS VACCINE WORKS BUT IN A FUTURE THE THINGS CAN CHANGE! SHA1: acdaab48c547cd2be5c6867b89e364d8792a3a0d SHA256: 8c07182fd6af92efe984dc65ab7efd7f9a86ee4cd90085a7241e22dd4ad0891f Password: Valthek