chaos

General

Target

333333.exe
Size

29KB
Sample

230601-vbx3ysfd66
MD5

df47134780d2ae126fec89f9f246d0e7
SHA1

25806ed7b5ba0284d1ac6858b0f49db39f834b16
SHA256

3f8db4913ef08a02254be20bd04543b55be72cb97f5de3cfd1d773c140abed2a
SHA512

388e220da35f134274bfbc68acb675eab70987fe422e9aa4d5cb581ac6db42a6695142f9d8e59edb12072dfce91c8b3183b360ab9b0669ab1678292e4465a98a
SSDEEP

384:s0JORJcf3Q3iPdxJODbzxqXIoyOVs91J4SYUcS+arWS:0JUJFxcX1q4t93bcGv

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Restore-your-files.txt

Ransom Note

## All of your files have been encrypted ## All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [ [email protected] ] - [ [email protected] ] - You have to pay for decryption in Bitcoin. - The price depends on how fast you write to us. - After payment we will send you the decryption tool that will decrypt all your files. - Write ID in the title of your email | ID? = ( NameFile.enc[Your_ID] ) ------------------------------------------------------------------------------------ ## Free decryption as guarantee ## Before paying you can send us up to 1 file for free decryption. The total size of file must be less than 1 Mb (non archived), and file should not contain valuable information. (databases, backups, large excel sheets, etc.) ------------------------------------------------------------------------------------ ## Check link below if we didn't respond ## [ rebrand.ly/N-Emails ] ------------------------------------------------------------------------------------ ## Attention! ## Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  333333.exe
- Size
  
  29KB
- MD5
  
  df47134780d2ae126fec89f9f246d0e7
- SHA1
  
  25806ed7b5ba0284d1ac6858b0f49db39f834b16
- SHA256
  
  3f8db4913ef08a02254be20bd04543b55be72cb97f5de3cfd1d773c140abed2a
- SHA512
  
  388e220da35f134274bfbc68acb675eab70987fe422e9aa4d5cb581ac6db42a6695142f9d8e59edb12072dfce91c8b3183b360ab9b0669ab1678292e4465a98a
- SSDEEP
  
  384:s0JORJcf3Q3iPdxJODbzxqXIoyOVs91J4SYUcS+arWS:0JUJFxcX1q4t93bcGv
Score

10^/10

chaos evasion persistence ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2