chaos

General

Target

Private Chat V2.0.exe
Size

124KB
Sample

240330-l1ajhsde82
MD5

8d6cf920922372018823199536ab94b9
SHA1

c93931bbdda0f4efe54f5eaa7dd04c362d93689a
SHA256

62a1c371bea432fcd5707d25810ab573b6ec269625c59db9539e3939d3fe9554
SHA512

11a4499b072c1dabe61c19acb29da374b4d4979c2581bcc49c3bae43f5bec295d03d9af74158152f95310eb3aedfff3bac92c0d9f3f063fba283caeee5c5f41c
SSDEEP

3072:jo8d30hr9ynxJxaJ3e6ua0g0qcB2f/u80kcmU/C7eJBz4gdw:Bd4r9ynxkbOqguxU6iW

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\README.txt

Ransom Note

All of your files have been encrypted. Your computer was infected with a ransomware virus. Your files have been encrypted, and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software. This software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is $50. Payment can be made in Bitcoin (Bitcoin Address: bc1qakhl8eu20ely220fxm6d3tjsk2al64vrha4sxa), Ethereum (ETH Address: 0x22D2C1C38b3c26C9E403B34ea5aF42Af00e90d9f), Binance Coin (BNB Address: bnb17CqMQFeuB3NTzJ2X28tfRmWaPyPQgvoHV0205gfc6ykk), or through PayPal (Burner Account: [email protected]). After sent u can also email the email: [email protected] with proof of payment and u will recieve ur decryption key You can make the payment directly by visiting this PayPal site: PayPal Payment Site. How do I pay, where do I get Bitcoin, Ethereum, Binance Coin, or PayPal? Purchasing Bitcoin, Ethereum, or Binance Coin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Bitcoin, Ethereum, Binance Coin, or set up a PayPal account. These sites will help you to get fast and reliable Bitcoin, Ethereum, Binance Coin, or PayPal. Coinmama - https://www.coinmama.com/ Bitpanda - https://www.bitpanda.com/ If you will try to seek for help or advice we recommend not to. Why you ask? Because no other software can decrypt this ransomware, only us have the special key to unlock it. So getting other decrypters will be worthless. Don't even think about calling the cops: we will snitch about your pedo activity! You have exactly 12 hours from now to pay up or your PC will be locked for a very long time, approximately 125 Years! Have fun buddy. We monitor every move you make, 👁️‍🗨️ with 8 eyes on you, always one step ahead 👁️, lurking in your devices.

Emails

[email protected]

URLs

https://www.coinmama.com/

https://www.bitpanda.com/

Targets

- Target
  
  Private Chat V2.0.exe
- Size
  
  124KB
- MD5
  
  8d6cf920922372018823199536ab94b9
- SHA1
  
  c93931bbdda0f4efe54f5eaa7dd04c362d93689a
- SHA256
  
  62a1c371bea432fcd5707d25810ab573b6ec269625c59db9539e3939d3fe9554
- SHA512
  
  11a4499b072c1dabe61c19acb29da374b4d4979c2581bcc49c3bae43f5bec295d03d9af74158152f95310eb3aedfff3bac92c0d9f3f063fba283caeee5c5f41c
- SSDEEP
  
  3072:jo8d30hr9ynxJxaJ3e6ua0g0qcB2f/u80kcmU/C7eJBz4gdw:Bd4r9ynxkbOqguxU6iW
Score

10^/10

chaos evasion ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1