Overview

overview

10

Static

static

10

a7f09cfde4...9b.exe

windows10-1703-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b.7z

  • Size

    10KB

  • Sample

    221003-1sjvjshbek

  • MD5

    e6a1902805c83744404c452f60c7cfd3

  • SHA1

    7281a9bec3e4697059827c190f92a0a97ce01b27

  • SHA256

    e10f8410577955a7504ceddb7a0bbfd4d6092025f1c351f5bb275fd323169e91

  • SHA512

    7ca353a4af6ea7ead248148a8a648795f0f346269659474828618910ce9b2bfb4d164b9200852043fc6b07ef7d349534704220db34c83564f067453e9fe394a7

  • SSDEEP

    192:75GBYgLaiSD6iMgEpOSvDMB6ZoHfzIYJSi98C07eOsPhPzb2IPkhAGGzuV:75C1aMgTx86Z98C07eOsPhOICAcV

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Ransom Note
All of your files are currently encrypted by ONYX strain. As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion Login: ampkcz Password: fgh5RgsW73F YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm!
URLs

http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion

Targets

    • Target

      a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b

    • Size

      26KB

    • MD5

      cf6ff9e0403b8d89e42ae54701026c1f

    • SHA1

      a4f5cb11b9340f80a89022131fb525b888aa8bc6

    • SHA256

      a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b

    • SHA512

      dca369de908ff4d8a6b095243d8837ad9eb885c78544565586196451f99303e9beb8635e01254514b485f22298b3eaf69afb3666b6032959ae3e9567e78dc575

    • SSDEEP

      384:Uo3Mg/bqo25M0RHcY5pmyjuwzUHJhr91CHW8wNa9get:UWqo2Zn5pPjKphr9z8wNHet

    Score
    10/10
    chaosransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks