chaos

General

Target

863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN
Size

777KB
Sample

241006-fygxxstcnk
MD5

d570b2529c442ad6b2c51a727a580800
SHA1

b95185702eb795a6f1e36c1ef6e6fb55ea4b2a17
SHA256

863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345c
SHA512

954d0b529441c4654237da996a69a9e609f66a56f35bb831e356bcf1119401061d287c6e88f658668c6d7fb78db19bb7f4b267ec07231a7020d66c5dff3a5eb3
SSDEEP

12288:SMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9tnIj:SnsJ39LyjbJkQFMhmC+6GD99o

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Links\READ_THIS.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted and stolen Your computer was infected with a ransomware virus. Your files have been encrypted and stolen and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $150. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.00240923 BTC Bitcoin Address: bc1q5dct32xckc9352ze647cf8lsv0vjaldp9vpvk6

Targets

- Target
  
  863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345cN
- Size
  
  777KB
- MD5
  
  d570b2529c442ad6b2c51a727a580800
- SHA1
  
  b95185702eb795a6f1e36c1ef6e6fb55ea4b2a17
- SHA256
  
  863809b03627315676be588f4027d45989029eb627e7361adbada53adb44345c
- SHA512
  
  954d0b529441c4654237da996a69a9e609f66a56f35bb831e356bcf1119401061d287c6e88f658668c6d7fb78db19bb7f4b267ec07231a7020d66c5dff3a5eb3
- SSDEEP
  
  12288:SMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9tnIj:SnsJ39LyjbJkQFMhmC+6GD99o
Score

10^/10

chaos defense_evasion discovery evasion execution impact macro persistence ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2