chaos

Sharing

General

Target

RNSM00464.7z
Size

24.7MB
Sample

241008-x8vefa1hpc
MD5

654a8d9ad78eae28285ebbe220a66d40
SHA1

568769a38792f94bb52014952ffa12b987bfbad9
SHA256

3cbc2e715a7f27f27bfc07e4fed45251608833ae05020fde0d06e8f1187dbe11
SHA512

41414ad0f340c83ff61b218670dc66cbc4bb2d8726d0d32e3c6a3da09901b69e49f0361e97054fc9189a726007f04e1f2d6c43debd963653101d0094fbf0eb27
SSDEEP

393216:iZ79twuT+C2ZeYslhGR8d3za68YmQd3RZnVDOn3CcSwlT/g2zR0bM8E8:8UZeYslcSd5mmLE3zttD0pL

Score

10^/10

Malware Config

Extracted

Family

gandcrab

http://gdcbghvjyqy7jclk.onion.top/

Extracted

Family

djvu

http://astdg.top/fhsgtsspen6/get.php

Attributes

extension
.hoop
offline_id
922IaqlBU1I6IKX6eTDABuH3amHHwoa5qUSb8vt1
payload_url
http://securebiz.org/dl/build2.exe

http://astdg.top/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-I6qIbIYiz9 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0326gDrgo

rsa_pubkey.plain

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

127.0.0.1:5555

haso.ddns.net:5555

Mutex

F8GIE4GJ812773

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
Driver
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Install Flash Player
message_box_title
Error
password
crocro35
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

112.175.88.207

112.175.88.208

Extracted

Path

\Device\HarddiskVolume1\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>E4AFD8D1-2700</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ TO UN-HACK

Ransom Note

WARNING! WARINING! Your Computer Has Been Compromised! If You Wish To Gain Back Access To Your Computer And Prevent Further Spread Of Encryption Across Your Newtork - UGRENTLY FOLLOW THE INSTRUCTIONS BELOW.... You MUST send 1.5 BTC To The Below Bitcoin Address bc1q8f3a4s546jm7dnw7gmv72k39wjs36cj0gfsf6f You Have 3 hours to get payment across before we begin to spread malware across your network. Getting Your Files Back Is in our best interest so please confirm payment to below email And all files will be un-encrypted and back to there original state once payment confirmation is received. Email: [email protected] Thank You - Razor Squad

Emails

[email protected]

Extracted

Path

F:\HowToRestoreMyFiles.txt

Ransom Note

All data in your machine turned to useless binary code. Your databases and important files have been downloaded and will be published after 12 days if not paid. To return files and prevent publishing email us at: [email protected], [email protected] (send copy to both). Tips: *No one else can help you , don't waste your business time. *You ask for proof that we have your data , and you can see our old target that their data have been published. *If not paid after 12 days Google your company name and you will see your private data in there, happy will legal and business challenges of data leak after. *For decryption anyone/any company offering help will get extra fee(some times even more than ours!)added to ours or simplly will scam you (dont pay us after getting test file, lie and scam you) so if you wanna intermediary chose a trusted one to avoid scams, and get your data. *For decryption you send a few sample files for test before any payment. We won't be available for long. Dont play with encrypted files that will corrupt them and make unrecoverable. Use google translate (if you don't know english) Your key: LQ2+Tkig+7Fb350+B8uhiOhVgYZIwYNf68UtIPzon3cnjwBFbWwSgtRxKOdTkIzObpnMINr//cilOP0JdaINvWDjnwXv0aEGE0lpU0GPo4r6o8dmdI06JyAGXLhB8G5PJNNGrE3IqxAPjjoSF14QXnGe4ceZyf5IO49ay6fSB6Y=

Emails

[email protected]

Targets

- Target
  
  RNSM00464.7z
- Size
  
  24.7MB
- MD5
  
  654a8d9ad78eae28285ebbe220a66d40
- SHA1
  
  568769a38792f94bb52014952ffa12b987bfbad9
- SHA256
  
  3cbc2e715a7f27f27bfc07e4fed45251608833ae05020fde0d06e8f1187dbe11
- SHA512
  
  41414ad0f340c83ff61b218670dc66cbc4bb2d8726d0d32e3c6a3da09901b69e49f0361e97054fc9189a726007f04e1f2d6c43debd963653101d0094fbf0eb27
- SSDEEP
  
  393216:iZ79twuT+C2ZeYslhGR8d3za68YmQd3RZnVDOn3CcSwlT/g2zR0bM8E8:8UZeYslcSd5mmLE3zttD0pL
Score

10^/10

chaos cybergate djvu gandcrab phobos urelas remote backdoor defense_evasion discovery evasion execution impact persistence pyinstaller ransomware stealer trojan upx
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Detected Djvu ransomware
- Disables service(s)
  evasion execution
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1