chaos

General

Target

baal.rar
Size

244KB
Sample

240502-fc2efahb7t
MD5

206cfa47756bd42a8732291ae553683c
SHA1

e3fbf66dadf419bfdc027479a27868f62225a6dc
SHA256

e16d8362938a947ac10d73a586031edbbfe893d23c95785c8d32a1f2200e667d
SHA512

5f7c7bba541013ef6a70273034f4649b477f3623e1f8ad1cf89af90936627b79ba2d701426d3b7b29aa17d0e89d7a56e4836f61b323042e70062c8d3b73490f7
SSDEEP

6144:669zrN83QXlUpIUDp5Abz5mpqsxALFWlpz:62zrN838+p5Abz5mpqsxALFUz

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note

YOUR PERSONAL INFORMATION IS NOW ENCRYPTED WITH MILITARY GRADE ENCRYPTION by BAAL RANSOMWARE All files on all affected machines and network have been encrypted with Baal Ransomware Encryption. What guarantees do we give to you? You can send 2 of any encrypted files to us to decrypt then send them back. Who is responsible for the Ransom Fee? The SARB & SA Mint Organization not its employees or assosiates will need to pay the fee to obtain the unique decryption code & tool that contains the private key linked to this specific ecryption. NOTE: All data is ecrypted (locked) not overitten hence can be decrypted with assossiated key only. You have only 6 (six) days to meet the Ransom fee in Bitcoin. Instructions: 1. Send 121 BTC (Bitcoins) to the following receiving address: 19DpJAWr6NCVT2oAnWieozQPsRK7Bj83r4 Note: All Bitcoin transactions need six confirmations in the blockchain from miners before being processed. In general sending Bitcoin can take anywhere from seconds to over 60 minutes. Typically, however, it will take 10 to 20 minutes In most cases, Bitcoin transactions need 1 to 1.5 hours to complete. 2. Send blockchain transaction id screenshot not link via to the email address: [email protected] 3. Once the transaction is be confirmed. We will email back the one-click decryption tool to fully decrypt and recover all your files and remove the randsomware on all your machines and network permantly. (No I.T. background required). 4. The decryption usually takes about a few minutes to an hour depending on the scale and size of the files and additional drives the Ransomware has spread onto the network. What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt then send them back. You have 6 days until the decryption keys are terminated and all data on affected machines and networks will never be recovered. We make use of Military Grade AES Encryptions. Without the linked decryption key you can just forgot about ever recovering encrypted data. ------------------------------------------ 'Blessed are the strong for they shall inherit the Earth' - Codex Saerus

Emails

[email protected]

Wallets

19DpJAWr6NCVT2oAnWieozQPsRK7Bj83r4

Targets

- Target
  
  baal.rar
- Size
  
  244KB
- MD5
  
  206cfa47756bd42a8732291ae553683c
- SHA1
  
  e3fbf66dadf419bfdc027479a27868f62225a6dc
- SHA256
  
  e16d8362938a947ac10d73a586031edbbfe893d23c95785c8d32a1f2200e667d
- SHA512
  
  5f7c7bba541013ef6a70273034f4649b477f3623e1f8ad1cf89af90936627b79ba2d701426d3b7b29aa17d0e89d7a56e4836f61b323042e70062c8d3b73490f7
- SSDEEP
  
  6144:669zrN83QXlUpIUDp5Abz5mpqsxALFWlpz:62zrN838+p5Abz5mpqsxALFUz
Score

10^/10

chaos evasion ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (195) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2