chaos

General

Target

2024-09-16_9a0a653a28144ed4aef29c405eed6cd5_destroyer_wannacry
Size

26KB
Sample

240916-ss86favelm
MD5

9a0a653a28144ed4aef29c405eed6cd5
SHA1

80b6f3d4ea6efd4bec02cb6864a179ffcbf7ea5e
SHA256

a37e08164fbf4bcfe5e4a8b818ec45b150f0e4206a1ecb84489a5e34c7d528cb
SHA512

0a98cd89d9693f7984826f0ed4cb54bf359415b2a203fc19631c12d982cd5b80c160e8b7315689cbb2df9a1eac0e79d99df0c82bd86662f7916020177eba17e7
SSDEEP

384:A3Mg/bqo2vLPQUvuIqpm9FOjUJnr91Cep4DqHaQ0jseO:+qo2MU0pIOj8nr9N+DqHEIeO

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Tox ID: EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181 Your personal DECRYPTION ID: 10211 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in tox. Tox ID : EEC1A34EA55C1DBC63D8BCC4779D93BB64FC9036C82210467DEB1948A3ABC2248CE1CAB7A181

URLs

https://tox.chat/download.html

Targets

- Target
  
  2024-09-16_9a0a653a28144ed4aef29c405eed6cd5_destroyer_wannacry
- Size
  
  26KB
- MD5
  
  9a0a653a28144ed4aef29c405eed6cd5
- SHA1
  
  80b6f3d4ea6efd4bec02cb6864a179ffcbf7ea5e
- SHA256
  
  a37e08164fbf4bcfe5e4a8b818ec45b150f0e4206a1ecb84489a5e34c7d528cb
- SHA512
  
  0a98cd89d9693f7984826f0ed4cb54bf359415b2a203fc19631c12d982cd5b80c160e8b7315689cbb2df9a1eac0e79d99df0c82bd86662f7916020177eba17e7
- SSDEEP
  
  384:A3Mg/bqo2vLPQUvuIqpm9FOjUJnr91Cep4DqHaQ0jseO:+qo2MU0pIOj8nr9N+DqHEIeO
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral1 behavioral2