chaos

Resubmissions

13-07-2024 09:54

240713-lxcvgawdmn 10

13-07-2024 09:52

240713-lv46yawdkj 10

13-07-2024 09:46

240713-lrz3tayajc 10

Sharing

Copy URL

Twitter E-mail

General

Target

New fol76der (2).7z
Size

13.9MB
Sample

240713-lrz3tayajc
MD5

98ceaf94ea13b449faa32b08b1b7ae12
SHA1

746943a01e944ec3d80e469d3f17307194e972ee
SHA256

0d9fcb8894240750cb5e4222ea78572aba6618eb5297c2069588ceb979d52d8b
SHA512

d463c4ed99b7b687ad7fabeb8d4da68042cc1d495cc558fb5c8548efd19b1cae5b733192899de9dcb67417ca5bef3349945cef6e6fa9748d3f739a5f973bf05f
SSDEEP

393216:nUwf43Cv30IES/FQeIrZ8ozAxcY04KZ7ZwMFniW:NbcQTILscY/KZ7biW

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SkynetData.txt

Ransom Note

------------------------ ALL YOUR FILES ARE ENCRYPTED ------------------------ Don't worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information Don't try to use third-party decrypt tools because it will destroy your files. Discount 50% available if you contact us first 24 hours. T0 get this software you need write on our e-mail: [email protected]

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

What Happen to my computer? DONT USE GMAIL.COM FOR CONTACT US Your important files are encrypted. Many of your documents, photos, passwords, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for way to recover your files , but do not waste your time. Nobody can recover your files without our decryption KEY (if somebody will tell that they can do it, they will also contact me and I will make the price so much expensive than if you contact directly). !!!THE DATARECOVERY COMPANIES JUST WANT YOUR MONEY!!! !!DATA RECOVERY COMPANIES WILL ONLY INCREASE THE DECRYPTION TIME!! Can i Recover My Files? Sure. We guarantee that you can recover all your files safely and easily But You have not so enough time . So If you want to decrypt all your data, you need to pay .As fast you pay as fast all of your data will be back as before encryption. Send e-mail to this address: [email protected] You have to pay for decryption in Bitcoins. ATTENTION Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. If you want to try datarecovery company just ask for testfile.They have to give it for you if they can do something. They will not. Key Identifier: jb8x7aM4Vc1082NcEnTnuMb2v/lrmR/nuNbbTeVpc52vBZpuGiROMOdOM8OrBALY4QpvURkwRsnoKF0w9wzJw6aDV3+SKxpu1TudFDFO7XuSdOj01UmKAHHZv42cMfqEAEqGO2vbddwsEgtama11BTaYsH52nfu4vGx8Ro8HpNIVsWxk0yONROVwO2bBU1K8WPzssmozi35iXgkOF/ZlyB6AnbEaJDTVmlt0FiwfTi163R7nyfx++b7n8fNC44/3/rWJNCNOp24bq6iHmrpT/EYYIANprxHb8BfahmFVz+1BM4POVXxvOWuB9dq3CS6sLcqYCmh6QFZmmU0JITha/tuzjlHRWsI8AOjBuT8gMBVdfsvNgnHSN/H98nIwgJa6LvP6DWHEHnNxraG1LBF9pJqFaAeYknCsco0Bba6BbhAiK9+NfceyyVFi9CJ3rSj7mD+k9DAIpvM/fH+E6/rpHAdwXjQQKgYa1OQ0xhJkbgKUTZiBeXzG91pLQDBCDW2Vt6khFFetYzTjlfKYtf6EqmV/cL6G7hNL9Tm1tix3uAI1crdrllMGBJRMXQCaqGcUWdo7gblDiNap1Cs1HxPIK2JXvzhgcvF06fscKMOjdwKfDC1pDlFVXmUmZMQLDTbQClt2PjQmik0M/HTPVL5/rD7l3kd7Y0cxYzDlrDJA+5g=

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note

Emails

[email protected]

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

67.213.221.18:7812

Mutex

KFoYp486ql6lO6U0qI

Attributes

encryption_key
OtItMK9boIZNOQTejUzg
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Windows Services

Extracted

Path

C:\Users\Admin\Documents\PLEASEREAD.txt

Ransom Note

WELCOME, DODO has returned AGAIN. Your files have been encrypted and you won't be able to decrypt them. You can buy decryption software from us, this software will allow you to recover all of your data and remove the ransomware from your computer. The price of the software is $15. Payment can be made in Bitcoin or XMR. How do I pay, where do I get Bitcoin or XMR? Purchasing cryptocurrency varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin or XMR. Payment information: send $15, to one of our addresses, then send us email with payment confirmation and you'll get the decryption software in email. Email Address : [email protected] BTC address: bc1qsht77cpgw7kv420r4secmu88g34wvn96dsyc5s XMR address: 44GUTQ7WqysSjLDCXfTnsYLCVJNGp67AECA9kTrAvjYCNz3ScZkYXZKP2EbR3DfbXPUYw6bMkaBuYCd6PdJCYngr4WtCeFt

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note

TuRKey_RanSOmWarE All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0,022 BTC Bitcoin Address: bc1qxwnqayk77nha5509swmclfzgkas6gc9t8xjj64

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Extracted

Path

C:\Users\Admin\Desktop\read_me.txt

Family

chaos

Ransom Note

Targets

- Target
  
  0778d2ae6074545731b471360877b58c89ba0aaca6a0ffdb25694340c910cc93.exe
- Size
  
  328KB
- MD5
  
  b00f66d6e5f0c0daa86a03f1106920f8
- SHA1
  
  f7444b3934ce61c65c658a06c3a98aa9f08729e6
- SHA256
  
  0778d2ae6074545731b471360877b58c89ba0aaca6a0ffdb25694340c910cc93
- SHA512
  
  da18b638ec68a706a92d06551eed74afaa9da3a3d1f7e11361b50413c06b26fd5df862fb36a8e4290c3a8dead12fcfb8692d2a0e667bcf3355a614efdc9a0899
- SSDEEP
  
  6144:eGEjbL0hiIO18+LDCvzCnQHw67feMv8KiPuTL94:eZJIOG+vCvnJ8tPuF4
Score

10^/10

chaos defense_evasion evasion execution impact persistence ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1
- Target
  
  2005110ee806a4fb40e00fe6c76af3527e3d66cd828723ee39529942812b8924.exe
- Size
  
  1.9MB
- MD5
  
  f0fd67c94f25de71c2fcdff4af0d2889
- SHA1
  
  2f4884f4e241d0bda353dc074ea1752e0b79af8c
- SHA256
  
  2005110ee806a4fb40e00fe6c76af3527e3d66cd828723ee39529942812b8924
- SHA512
  
  13986923eaef12dcbe1a0ce71ca47829ab1209df761c077c83981685fa61d01320372fb9a68d5b6622b597f443dccb125a2033aaf82857c873b1ec2b3e5ebdb0
- SSDEEP
  
  24576:6SndG2iSNjN2w9Os9cRfO/d8mT6c6aVqwPhUMelv1:/fJqsgXmgyJP
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral2
- Target
  
  290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451.exe
- Size
  
  3.8MB
- MD5
  
  3566f930e73eacee6933e672c1085d98
- SHA1
  
  d6c5408fabbf943721946073c80049c3c65f8c8d
- SHA256
  
  290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451
- SHA512
  
  09e5edcc5fe7a8e6dac63690eb1c8674541993c5a10130db7ed3cee90d802705dc07a0b13612c6326b9462145dcac35e136b12555096e0ee8577e00c3aab69af
- SSDEEP
  
  24576:TbnWYoXXBzGmL53TaX+vnyuNMOCig82RfVL0K1RWLghaPZUwB74amJl4aOLW6u3r:/W3XXBzhaWBq8Yy8kZmzJ/m
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral3
- Target
  
  3998d0e987accc2837c6bf87fdb2796d0170ae2a79383b78fd778531410e337f.exe
- Size
  
  153KB
- MD5
  
  4c19104c6df0817095be0846b1607de6
- SHA1
  
  ae3bf7a043cb10e8b206261af6af1558fc3d518b
- SHA256
  
  3998d0e987accc2837c6bf87fdb2796d0170ae2a79383b78fd778531410e337f
- SHA512
  
  d1ac86c12068192fe1dafd16a6c73e1dbabf0be5ca8c59ba3eeb6290c6061a207c0f91b77f42b190d4f8ebdee4a33a7dc596c7883c451cb039c3c2a0f37e8e4c
- SSDEEP
  
  3072:o3kkKmAr9iVE3E04sMsXVpBWwLJwvkywY2ZDja9eIBdvhGkJJ9QuxIMb68J5K:y8r9it04XYVBIkNYcaeUvkkD9QRMb6
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral4
- Target
  
  435844f4e1a57fbfa40edf039ac0b29fab6c4115adbaba2ff2907c921a6aac2b.exe
- Size
  
  1.1MB
- MD5
  
  75ad544ceac0f47859e0f5417b950889
- SHA1
  
  5e4976f34abe798ec40087d4a4831e60040cd7dc
- SHA256
  
  435844f4e1a57fbfa40edf039ac0b29fab6c4115adbaba2ff2907c921a6aac2b
- SHA512
  
  cd9b17097d4f3d878966ef3f6f8269db3cf96ae517d593b3521761de4ee0fc3b8c8a2e1f603b90ffe73f6426bd5648f9d2f0dbecf6904f96568909745cb9db95
- SSDEEP
  
  24576:BiIxSqmMEiPPHxXaUHtauiIxLmKPPH3paUS:NSqmKPvxqUHIOLmKPvgUS
Score

3^/10
behavioral5
- Target
  
  495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72.exe
- Size
  
  2.6MB
- MD5
  
  9756b1c7d0001100fdde3efefb7e086f
- SHA1
  
  55de88118fe8abefb29dec765df7f78785908621
- SHA256
  
  495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72
- SHA512
  
  d9497cd0af40cc3149db52aee1ba333e8261232ff00e6e7208eaac639fba533d6931828823c3c3211bddf083260904d77d595d877070eb218075b1f631e13f07
- SSDEEP
  
  49152:kNJLuf3HJrb/TfvO90d7HjmAFd4A64nsfJjogr1n3wSmZD1UCu5ErgXpS/IXF+9c:Tf3SvEoDY95e
Score

1^/10
behavioral6
- Target
  
  542c157186bae766dd3e2df424e9c25251d71086b99cc9df121bc9bf50462688.exe
- Size
  
  341KB
- MD5
  
  ffdefa247d3bb4429558e8b334f4f2ae
- SHA1
  
  af9f3af31889b55552a5721244184d0a115be74c
- SHA256
  
  542c157186bae766dd3e2df424e9c25251d71086b99cc9df121bc9bf50462688
- SHA512
  
  0f4b5534179a690bbaa5333fbf4b11e881d2b60c37f3ade95ebf6b481bbf58b76a17bf4945883babadd8b5b9681c4710ddb2ab4380cd27cf73430e8609d0b9d7
- SSDEEP
  
  6144:Drbwc9N+fwvDIK9LpXXXXXXXXXXXXXXXXQGuFFM5:dWwbLpXXXXXXXXXXXXXXXX5uw5
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (174) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral7
- Target
  
  561d7f05055800d3eb9d9e150969e2c84a71dc82a362fb3e1a224af420e53b35.exe
- Size
  
  240KB
- MD5
  
  66e01e1ac0e274c1b4d909e70668a6ad
- SHA1
  
  fe5a8fa628bbf960010c28625aa58e87d2800978
- SHA256
  
  561d7f05055800d3eb9d9e150969e2c84a71dc82a362fb3e1a224af420e53b35
- SHA512
  
  39ebdc7542e255ca9f47d9730fa2fc36e29719a84894522c71a5dcfc9da757563b1b47e3d72ab58db94cfe11d3efc37046f833ce5c03b3f0f3ac309eadc39474
- SSDEEP
  
  3072:Rmrhm1eibcR+uiUg6p4FLlG4tlL/+mmCSHFZxoHEo3m:REgoZiZhLlG4immCm
Score

10^/10

wannacry ransomware worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Sets desktop wallpaper using registry
  ransomware
behavioral8
- Target
  
  617364875d331ab132bac1e63fb9b5a00ac5a33a22b93749dd6ee384ed435dbb.exe
- Size
  
  304KB
- MD5
  
  b634be3c5eb62c87ebbf90f655581e96
- SHA1
  
  089c2c51a4768925cf5dd0e88726d8a88e861795
- SHA256
  
  617364875d331ab132bac1e63fb9b5a00ac5a33a22b93749dd6ee384ed435dbb
- SHA512
  
  090e9dbd685b31818a0a157b042d042e519a43008e4b94ddacf479b34c3c24de7b938a8baf51a8bc0bb3a11a6852ca6ad95988b75c77fa82aef30f7fd8e062fe
- SSDEEP
  
  3072:6SuVNqRgZRUA0S9tRtd6V+h8Rtt05NkkbjyGez1c:6SaNFZRdnxS++rt07kkbmt+
Score

3^/10
behavioral9
- Target
  
  6312ac91761037de7a7afc7323671a004db71b31a69499178437bdf939fa9dd8.exe
- Size
  
  400KB
- MD5
  
  47e14a46326791625b67704d4329bed6
- SHA1
  
  01e0e607678a36d8e7e23d1fb11f8d7aa2c20581
- SHA256
  
  6312ac91761037de7a7afc7323671a004db71b31a69499178437bdf939fa9dd8
- SHA512
  
  e979fb4537a7fadbc6583a5cd537ce533111ea4a596bd8486b9fbf551ed7b390271a6218ccf71cd052d4270c1fe1957ec0aae4527c9613a0cdbc0e24641a19a2
- SSDEEP
  
  6144:cMr9/U806q0jnjCyc1rIGruapfd7ggZqLuID/pFZwVZ3j:a806qwjCycpIGRpfd8cqCITpFZwD3
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral10
- Target
  
  63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe
- Size
  
  390KB
- MD5
  
  5b7e6e352bacc93f7b80bc968b6ea493
- SHA1
  
  e686139d5ed8528117ba6ca68fe415e4fb02f2be
- SHA256
  
  63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
- SHA512
  
  9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
- SSDEEP
  
  12288:ef/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:EXATS/x9jNg+95vdQa
Score

10^/10

mimikatz bootkit persistence spyware stealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral11
- Target
  
  6555038a04997404d48cf866ebb81f134082ef1613408779cf2a589068312a42.exe
- Size
  
  97KB
- MD5
  
  b5de1cca5ec8047847717b01c268509a
- SHA1
  
  c463d7aa1e69a591ef75db3f0e4b08dcc2901c1e
- SHA256
  
  6555038a04997404d48cf866ebb81f134082ef1613408779cf2a589068312a42
- SHA512
  
  a28cc345e4cbff344ec0aef7cdfe231ae9b1ac3f99a5dae6d9aa3f807fe3da9cf64b826bf1b72f3a697a13089d8370d42dbd60ea79e1a0469508647185dd80c9
- SSDEEP
  
  3072:YrnY2lU8KdD5/Ut6VToG9o+8DtRzpytcpRf9EI4Ixe:/fNdO7f9T4Ix
Score

10^/10

discovery evasion execution persistence privilege_escalation ransomware
- Disables service(s)
  evasion execution
- Renames multiple (236) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Modifies file permissions
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral12
- Target
  
  677393ff5efc9f6f050b4b5ed62579f2f050eeec53e7a17cb51c31c148546f59.exe
- Size
  
  426KB
- MD5
  
  b532d352685523141305fa9135192256
- SHA1
  
  fa0e364afa99bca61d747e23a04eddc5b10ffdb2
- SHA256
  
  677393ff5efc9f6f050b4b5ed62579f2f050eeec53e7a17cb51c31c148546f59
- SHA512
  
  16fd0ff50df7aefed9ebb4e221b86bd72e6e73c9b761216f37f7c26d328ca577e58d70e68b249cfe873e6073a5d258bcb4a88d4214bade8817de9b7376e09eda
- SSDEEP
  
  6144:LL0IMdpqDpE9TWvZqtMNXzhTqm8jjyhNYIa/19zTD8WGLA+m4dZvR5SE+v8BW5:LfrDp6TgZqtklvNiHPD8WS8yBb8
Score

1^/10
behavioral13
- Target
  
  680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75.exe
- Size
  
  439KB
- MD5
  
  8f808bb54b422500304dfc68b87198fc
- SHA1
  
  24ebeb615f0bdcaa3980722100d6fc42111b62ec
- SHA256
  
  680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75
- SHA512
  
  46ce4cde81607819e360b0efc424c4b5602c7515661a88e6a0d66cd9e88dcc68219f0a85200e6c40cc34bcac0e5ab652e6db4b4b1c1b913ad351061dae880e99
- SSDEEP
  
  6144:vwLRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkuVB8:v/4AZrg7g9zVGkllbko
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral14
- Target
  
  70192d461c98da3d6d9734663dfee8d121b2739e9868f28b1fa67794ba3c9a8b.exe
- Size
  
  155KB
- MD5
  
  179b38c276e09d3b8a79854ba7232094
- SHA1
  
  bc218f468367b4cf127b10a02d2a62f28f35216a
- SHA256
  
  70192d461c98da3d6d9734663dfee8d121b2739e9868f28b1fa67794ba3c9a8b
- SHA512
  
  367c52c5f8ed2166f3d1e6edf564feefa50f46b8bbdbe1b3ab7007eec02db9d4a806e2f32757ea349a86fded9d4586ff0ae5c8e2403f2ace84083dc05253fad7
- SSDEEP
  
  3072:S5K/B0toLQSNJwlxwsx89TSdBgjMqqDL2/TOKyRG:ScytwtLTTSdBgQqqDL6SKN
Score

3^/10
behavioral15
- Target
  
  76199c26622c58fa0a22355d710ef06d86e3cce56def3d9a3c38ea395e48066d.exe
- Size
  
  362KB
- MD5
  
  e52021298206c71590c27392abb94691
- SHA1
  
  9f9dbed14bee77d30afe99fc7a395259a9cded27
- SHA256
  
  76199c26622c58fa0a22355d710ef06d86e3cce56def3d9a3c38ea395e48066d
- SHA512
  
  50408bf9c4276a4683a1e8bcbea142347dd82b20c21398c16391203dbb68094cb9198e9a9dc68bac7f81c54c27b71b1f0aa2478db1af339e4e1cc3dc7c7a7667
- SSDEEP
  
  6144:xii9gD+iITRy1fGN/ekNymaSszzRm663xjxc6BN/47Ar68SdQtqcK7:Hgi/GfGpJCR+3547Ar6tdb/
Score

3^/10
behavioral16
- Target
  
  8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44.exe
- Size
  
  953KB
- MD5
  
  adb3dde4a25e596c16ced4cdfc6ff8dd
- SHA1
  
  7934e6bc9489933c0af8dfe7bdff482fc6759bdc
- SHA256
  
  8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44
- SHA512
  
  f14c27892ed4d11bdd46a130abc7fa40ae8c4577bcd45c3af7c5928b82f27c3646b906fda880e5c9df623071edaab8de82fd46af8f3194f33d7d46c2c3d1d587
- SSDEEP
  
  12288:vEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzzjc:/ztQE1ov2AZ9HjkftWy3P
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (203) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral17
- Target
  
  91450f9e8aeb0361867cdefc0bb7e5bad8941b5081db549d34a91072df4db5dc.exe
- Size
  
  53KB
- MD5
  
  c5b0f786fe68a4312307535890ba01e4
- SHA1
  
  ca15010a195cdfdf0af95f2c2543930311142994
- SHA256
  
  91450f9e8aeb0361867cdefc0bb7e5bad8941b5081db549d34a91072df4db5dc
- SHA512
  
  b510164ff1c47c198945ab51d8fa2b9d77ebf44b817286c031514554273f7b7d82a85f8932c2b33bd564e7a86277f056689cd33603b5b1d52a37c39dad6b8b55
- SSDEEP
  
  1536:zNPTkHhFRy2/NSTEj1FVl1Ft9N1FVl1FVFS0TztlY27VqmSVzyqYvd0bRPp24dfv:hIHhFR//NSTXYztlY27VqmSVzyqYvd0j
Score

10^/10

ransomware
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Renames multiple (74) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
behavioral18
- Target
  
  93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9.exe
- Size
  
  361KB
- MD5
  
  7be37dff77a6257da2b430ab7c483612
- SHA1
  
  028356262caa0076adb3c0a0ad87e4418d386ec8
- SHA256
  
  93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9
- SHA512
  
  09dae1c1cb5b07dd4099d21db53f3d08a5ac354777086e666bd872532a37539a67455c35768e78cfc4e181f03bd67ba546aace35d2b50c7aa68a2433c317634a
- SSDEEP
  
  3072:6pbgo3vg+rJrkQVOUPrxLExK08A+MQ20AFHxH32Hdxkq51:Ubf3vg+rOgOyrNEI3AxQUHK
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral19
- Target
  
  942bc9e43e40e01694365aced2331634257727783353c7d49d940abcc215a17c.exe
- Size
  
  286KB
- MD5
  
  ca1c3c08b1291ee31fb47f039ad08129
- SHA1
  
  629446ad19eb04f6edb8c576bf007facf4ff249c
- SHA256
  
  942bc9e43e40e01694365aced2331634257727783353c7d49d940abcc215a17c
- SHA512
  
  e1b49a9738d44666dd93f248844e6bfb331db16c171f05af8333852a99e9c335c527effab61e8de796bed9d9199dfccc9c8f0199fc0eb5998eec9e758bb272fa
- SSDEEP
  
  384:123MLWHn3kIt/F6Y0p9dpTWJpr91CznHZN0eNQ6Jki2xC5:En3kIX6rp9j+pr9inHD0eNh5
Score

10^/10

chaos ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral20
- Target
  
  ac7a29cb82b7b3e50d8aaa0da5e431f0b466de07dad241e5b6090cf71963e3b8.exe
- Size
  
  325KB
- MD5
  
  9a4827a78e363d84ea0e334e842ab039
- SHA1
  
  a0d222d2fd9cf90a47a134ef571232ee482a45f7
- SHA256
  
  ac7a29cb82b7b3e50d8aaa0da5e431f0b466de07dad241e5b6090cf71963e3b8
- SHA512
  
  0f20fbf72e254155f0b2403488f5d8262c98138335380f3267afed6b79b91f2c9198924853dccb5b60bc9075876a700e12fc7b8509075bdb3b13776d3514ad0c
- SSDEEP
  
  6144:9dCr9fPhxhdsVFGEeRJk8nrKfQhCd/hAxno0yu:TEhxbsVFGEeRJk8mQE7Axqu
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (209) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral21
- Target
  
  baa851154b7492b20ea71c068f77e7e2b91d347fb97e5e05999af153e3fd0f1f.exe
- Size
  
  35KB
- MD5
  
  d7a77d7d1657b93fc7270895e86dff74
- SHA1
  
  700448723acc915ad6ec8d7f9009f9305f642818
- SHA256
  
  baa851154b7492b20ea71c068f77e7e2b91d347fb97e5e05999af153e3fd0f1f
- SHA512
  
  7d90dff4e81e8ad2dcb75c5ac58f875a332e62db9654d89261013007c5211f5a4dcf208fda5e13f1d5220e179cd557cf8212314578ec03691a3b0dfb6843137b
- SSDEEP
  
  768:sn3kIE69pYIlfr9ixbceEz0pmc+33t7gG:a3kIr3fr9ivEzog39
Score

10^/10

chaos ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral22
- Target
  
  bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369.exe
- Size
  
  205KB
- MD5
  
  62e53bc5aa5f2a70a54e328bff51505f
- SHA1
  
  e7deceee97a09d539d81eb91f988ece5e2a2ff51
- SHA256
  
  bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369
- SHA512
  
  a676dd284188271be1760ed1edd3320341713662aba1c615481f256007e614e58756a7b6a565beed777230c2ae829c561e3bf3510921ad6495d3776cfdfaa793
- SSDEEP
  
  6144:+B4mr9NzqHW7V5V9w/UIRZizI1aqebq/lsyp:+B40qHW7nU/pZmiXqy
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (206) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral23
- Target
  
  c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07.exe
- Size
  
  89KB
- MD5
  
  77bd76f4e4b9481432022ab3b10c89c0
- SHA1
  
  8213a974f617ee9b191e605856e776ab96ff4382
- SHA256
  
  c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07
- SHA512
  
  ad30bb25260f959f2d3db823b2ca65b06cdfa6dc5d27527b053e4b5526ed6363519e6fd137c33f53371d8d4df2bcd6ac49aeab2631b106c891db41d0478e70ce
- SSDEEP
  
  768:yuqo2ptMp1g4+kR7Er9jJxbXeqxSIHTe9dLTdp:yto2ug417Er9jJsqjHs1
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral24
- Target
  
  c743ba08610d442531bb897a35748ba6fe897e730cea6e29377ba21141901326.exe
- Size
  
  164KB
- MD5
  
  a881838937a145cab27e5c9b439a1ff5
- SHA1
  
  4cac0241e3d0e1636a174134a623a879adb2a86b
- SHA256
  
  c743ba08610d442531bb897a35748ba6fe897e730cea6e29377ba21141901326
- SHA512
  
  888a3f2f45cdc81bc766c66079e250100a3d0641883ecbcf2bcf6deec1ad7c7b2d0e96e466a2b64ae5867afb3c75071763b408250f190a60f69f79a502b5c604
- SSDEEP
  
  1536:muW0xpn7JWWkH7Jx1Q3j1OefTixyvYZKmWuz82HnJq0Wm03O8gOo:s0TIVAJOHxyCKmW12q0WmG4
Score

1^/10
behavioral25
- Target
  
  cfda742c2de7706171af64a89806656a107069e1677aa4ce0583e696f954fde5.exe
- Size
  
  125KB
- MD5
  
  a0f62032cb73a15dd8f3d3165e29cbe5
- SHA1
  
  099e4d118e111e8fdf0d2ad1fba8e62b7edf80f1
- SHA256
  
  cfda742c2de7706171af64a89806656a107069e1677aa4ce0583e696f954fde5
- SHA512
  
  96e6ecd312cc6f44091a177865c87ba03ad7009f373195c8a0c73c9fd39030a785c34e80d203d5382082d496e6ccfc9356bea6c30da46ca296ac82a6c071c70e
- SSDEEP
  
  768:qn3kIQok/p54NwJfKXRu+r9iPe+FdbJVqB+QPE2IikqKs:Q3kInkH42IU+r9i2+F1Jok
Score

10^/10

chaos ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral26
- Target
  
  d1d74ec1039ff5aab99faf99bf70fb07f6b4c763a0c2fbc08b702ec9dcb03834.exe
- Size
  
  10.9MB
- MD5
  
  a82df55a03a3dc038985a30f797cef24
- SHA1
  
  fd30147c88f65ee9c83da7fc98c75c02a2fa7b8f
- SHA256
  
  d1d74ec1039ff5aab99faf99bf70fb07f6b4c763a0c2fbc08b702ec9dcb03834
- SHA512
  
  d587cb272e28d8142a1e62fb926637c9b3be348984f17afa390b29fe04c726286de95a2f881b22b187881d2e1a440306306cb91ce16f1cdfb1f6fc5c368194b9
- SSDEEP
  
  98304:xnwgVIXh9xYacrRyyVyGHAeBSut+aFNnLlPLeqNZ8hY/LKbxabdDkEduupRlQgWm:u/YaolX+aFFLlPKQ8hY/RkQWslX4ge+
Score

1^/10
behavioral27
- Target
  
  d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe
- Size
  
  338KB
- MD5
  
  04fb36199787f2e3e2135611a38321eb
- SHA1
  
  65559245709fe98052eb284577f1fd61c01ad20d
- SHA256
  
  d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
- SHA512
  
  533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
- SSDEEP
  
  6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv
Score

10^/10

cryptolocker persistence ransomware
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral28
- Target
  
  daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe
- Size
  
  1.9MB
- MD5
  
  93d4eb996675019ed856d0b8c5c46515
- SHA1
  
  a9f67e260a098a55252f0eba7b9333c1cf5b8374
- SHA256
  
  daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde
- SHA512
  
  518d24574201e262fc31c1ec6ea07af1285ba4f93805e34f9e8cee472376a7cc5f597020dc702ea165c159c5abc6ae91209dce8250f90766ffc3410615cc1e91
- SSDEEP
  
  24576:tnxLSUXY7WSIGgjlvYaxKMiZA+yH6uw1ECvGX6H7O3YpPNaG:txOUpSIZZv1xim+y6HLOO3
Score

9^/10

discovery exploit persistence ransomware spyware stealer
- Renames multiple (8547) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Possible privilege escalation attempt
  exploit
- Deletes itself
- Executes dropped EXE
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral29
- Target
  
  ed12ea76d03b8255f361975cebd5c579491dacc60c52e03373e7bf509523820a.exe
- Size
  
  458KB
- MD5
  
  72ea584eebe5705ea1fd5a02dbfe86a1
- SHA1
  
  f6d6cdef7eb41e9c201ee52832036bd8a68d0e44
- SHA256
  
  ed12ea76d03b8255f361975cebd5c579491dacc60c52e03373e7bf509523820a
- SHA512
  
  e928592dd7061388957c3f1acc82dfd8e105de486e8cbd4835029f7d302f71dcdcb8d9dfd0b2a5b53fbd2679dcc6f8559487e1e5767d26431fc67348d1f4ab08
- SSDEEP
  
  12288:GJaHnpS22Yh6Nesa6rZvvihw61SLQkY5Pa1uLkB3gE88uY2:DpSosXaYhVZVMVm2
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral30
- Target
  
  f062577b6879fb42fbf7fef1c2a21f96d4d372f1424c1c77f255d13fb60bfae0.exe
- Size
  
  205KB
- MD5
  
  2430019335d88321467e82ab8f51546b
- SHA1
  
  7d233a893492e0efd4d7e919941325b5d44abeb7
- SHA256
  
  f062577b6879fb42fbf7fef1c2a21f96d4d372f1424c1c77f255d13fb60bfae0
- SHA512
  
  6ee56eabe77caf05bde12e9e8fbe97703cccee33cfbe09c38e0a0a397a3f93221751bbcd2ad2261f6a11839ef2741689478578ed3cd9ae2d781c3fffee3c2e7b
- SSDEEP
  
  6144:+B4Ir9NzqHW7V5V9w/UIRZizI1aqebq/lsyp:+B4uqHW7nU/pZmiXqy
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (201) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral31
- Target
  
  f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe
- Size
  
  3.8MB
- MD5
  
  15995b0b1fc5dd82f1c3ba1b7b40c5d4
- SHA1
  
  3b6a4a5b8b1107854e35b01cd28b4cce7a003413
- SHA256
  
  f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35
- SHA512
  
  4ebe82a5d5d499eab10c9049647283976d95f102b24b2113bd59309ea107fb6cf8671640651e7d7cf13435e516c6d2dcbfe3a2fc8a8ed917398b3d86f6a77781
- SSDEEP
  
  49152:aApBOr1sU6uEgjhlOCDw8mEFAuYg2OWpTMqBx+fdTmG2Y4MT9ffD+CzKcbmoivTN:
Score

10^/10

evasion execution persistence privilege_escalation trojan
- UAC bypass
  evasion trojan
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral32