chaos

General

Target

GH0ST.exe
Size

127KB
Sample

240320-x17psshe51
MD5

90b828929de1319e5b9bf94f4ae990b3
SHA1

8fc41267cfb9f057e78beca15b775d20fb01434b
SHA256

14592b6ee58e6c1abe76e8148f087b1da84f54892b1cca31540dd728298bb185
SHA512

57e50e8c3e424980bfb96d4d1862e998efd50e45df25478fc80537a67a27b8d7aa8cce00400e0126216395205946a38876a2ff494b74d86043c5e5779a4b5921
SSDEEP

3072:oDk4Rq96liXWAPEV9Ue4znvqg2WVrxuF:h4Rq9UCW7WhZx

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\read_it.txt

Ransom Note

Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Emails

[email protected]

Targets

- Target
  
  GH0ST.exe
- Size
  
  127KB
- MD5
  
  90b828929de1319e5b9bf94f4ae990b3
- SHA1
  
  8fc41267cfb9f057e78beca15b775d20fb01434b
- SHA256
  
  14592b6ee58e6c1abe76e8148f087b1da84f54892b1cca31540dd728298bb185
- SHA512
  
  57e50e8c3e424980bfb96d4d1862e998efd50e45df25478fc80537a67a27b8d7aa8cce00400e0126216395205946a38876a2ff494b74d86043c5e5779a4b5921
- SSDEEP
  
  3072:oDk4Rq96liXWAPEV9Ue4znvqg2WVrxuF:h4Rq9UCW7WhZx
Score

10^/10

chaos meduza bootkit discovery evasion persistence ransomware spyware stealer trojan
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- Uses Session Manager for persistence
  Creates Session Manager registry key to run executable early in system boot.
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1