chaos

General

Target

FridayBoycrazyV2.exe
Size

280KB
Sample

240812-a63ayaxdlk
MD5

41e34a8240026b4e9cd8d81a73ee8b2c
SHA1

3876b12e152dd552a7059538242b6f87a23e60f5
SHA256

0ef2768bdfaa0b953a5c498f18bbf2df5dce249eaf2044474c476c4367c535b5
SHA512

a7d610ee4f116121757f47193bf092b639cf2d439dcfa364ea800c28c0f21996fd8baa31c9abe68d2c18cc8f334c57f9d71c4e444a04a27d3b9cab90eecbba73
SSDEEP

6144:1r93iyJ7/+WZT1kRnSeXSX9MNzxiMwP2OswK:iyJ7/+Wd1kRnFX4mNzxyeOswK

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Warning.txt

Ransom Note

Your files has been encrypted By FridayBoycrazy and you won't be able to decrypt them without our help What can I do to get my files back You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer The price for the software is $100 Dollars can be made in Venmo Or Robux only Please Contact Us At Gmail: [email protected] Discord Username: fridayboycrazy Payment information Venmo Amount: $100 Robux Payment Information: 10,000 Paid Ransom: https://www.roblox.com/game-pass/887175972 Paid Ransom: https://venmo.com/u/gratefulcode

Emails

[email protected]

URLs

https://www.roblox.com/game-pass/887175972

https://venmo.com/u/gratefulcode

Targets

- Target
  
  FridayBoycrazyV2.exe
- Size
  
  280KB
- MD5
  
  41e34a8240026b4e9cd8d81a73ee8b2c
- SHA1
  
  3876b12e152dd552a7059538242b6f87a23e60f5
- SHA256
  
  0ef2768bdfaa0b953a5c498f18bbf2df5dce249eaf2044474c476c4367c535b5
- SHA512
  
  a7d610ee4f116121757f47193bf092b639cf2d439dcfa364ea800c28c0f21996fd8baa31c9abe68d2c18cc8f334c57f9d71c4e444a04a27d3b9cab90eecbba73
- SSDEEP
  
  6144:1r93iyJ7/+WZT1kRnSeXSX9MNzxiMwP2OswK:iyJ7/+Wd1kRnFX4mNzxyeOswK
Score

10^/10

chaos credential_access defense_evasion discovery evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1