chaos | 2dcc9c629488710a424dba2eefcfbecbf1edcc092a8387be7929db59f9692e71 | Triage

Submit
Reports

Overview

overview

Static

static

PrivateChat V2.0.exe

windows7-x64

PrivateChat V2.0.exe

windows10-2004-x64

Sharing

General

Target

PrivateChat V2.0.exe
Size

87KB
Sample

240322-2t5zvaaa67
MD5

4e0daa19b125c8e2703e9de440b1340b
SHA1

8dd7592a40384093ab296ea4a0ae14102441b884
SHA256

2dcc9c629488710a424dba2eefcfbecbf1edcc092a8387be7929db59f9692e71
SHA512

8bf90f3d89e0592b5e5f1f6b1d5a362b1db84612eb8f737bec7e17c25e8e9748dd0293e40addea8f77c4f49e7e3a1e345ff78e1ee150dc29bfb643bbdb78e040
SSDEEP

1536:SPvg251EzYY2MkcqhQP6xY9G+beYZFy+U0/A1OG36zvO5d2LueRISbfX:SPvg2szr5kcqhgx8+be+yTL+OjOusr

Score

10^/10

chaos xworm evasion ransomware rat spyware stealer trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

PrivateChat V2.0.exe

Resource

win7-20240221-en

xworm rat trojan

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

PrivateChat V2.0.exe

Resource

win10v2004-20240226-en

chaos xworm evasion ransomware rat spyware stealer trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

employees-resolution.gl.at.ply.gg:35582

Attributes

install_file
USB.exe

Targets

- Target
  
  PrivateChat V2.0.exe
- Size
  
  87KB
- MD5
  
  4e0daa19b125c8e2703e9de440b1340b
- SHA1
  
  8dd7592a40384093ab296ea4a0ae14102441b884
- SHA256
  
  2dcc9c629488710a424dba2eefcfbecbf1edcc092a8387be7929db59f9692e71
- SHA512
  
  8bf90f3d89e0592b5e5f1f6b1d5a362b1db84612eb8f737bec7e17c25e8e9748dd0293e40addea8f77c4f49e7e3a1e345ff78e1ee150dc29bfb643bbdb78e040
- SSDEEP
  
  1536:SPvg251EzYY2MkcqhQP6xY9G+beYZFy+U0/A1OG36zvO5d2LueRISbfX:SPvg2szr5kcqhgx8+be+yTL+OjOusr
Score

10^/10

xworm rat trojan chaos evasion ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Inhibit System Recovery

Tasks

static1

behavioral1

behavioral2

chaosxwormevasionransomwareratspywarestealertrojan

© 2018-2025

Terms | Privacy