chaos

Sharing

Copy URL

Twitter E-mail

General

Target

New folder (2).zip
Size

274KB
Sample

241018-v29vfayhqe
MD5

fd6703b0a113be4252e8b57de2990052
SHA1

e01866a3d06ac4a9b2352d24616c30286852a037
SHA256

c4e56e9f1a23448f15f6f81dfdf3b2343e94ca1f33ba1f11a96a4b4182358664
SHA512

6fd0d82858019cc9bf436964d6c8a545b4e639908913683eab00d31e4ac736f1fb893f8e714eda73f1edc56fa4d42695b48d9648afc21a60cc4d5925b54aeb17
SSDEEP

6144:M4sHyslLRkvwA0Va0DqZ+uk7m4sHyslLRkvwA0Va0pDWr:ySj0Vay170Sj0Va2Dm

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\README_1380491.txt

Ransom Note

Hello! All your files have been encrypted... Your personal Id: iygGOJHf9/kqAtHoMBP49Dnz62LcPXeh2YB4cCx1chhGQ19lzvWynRHPs607XGxnWj+JMMsvUtad+UOuHEWGCmsNf8juBmdgDTg7c4W/WYkR1JlZNr+dn82qsuE7MX2e9NErO+KGbfqfISnaXtNddG8Xin/3pRjpgjtoUHp+ALKPwf8T2A6+0ZhP4OV0preeMCICVttJELiwsmX91S16urAmYkRTlf9j2cWrVUaRQi1SA86Da9m+dqWmg22f/ZB5aLnivHjQ/bFJituFI8JqIpy4nJjvuTyQQmX7Z2KR6iNdQPe1vKsjAMLrp1xN33MwWFsz9ATpUPRNPpMDeLrY7g++ZW4tVVNfMTM4MDQ5MV9BZG1pbl8xMC8xOC8yMDI0IDU6MzA6MjkgUE1fV2luIDdfYmx1dDRfZWNmYjVjOTVkMGYzZDExMjY1MGVmNDA0NzkzNmU4ZmE1MjQ0YzIxYzkyMWY2YzdhNjk2M2U5MmFiYWI0OTQ5ZA To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Emails

[email protected]

URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Extracted

Path

C:\ProgramData\README_3805226.txt

Ransom Note

Hello! All your files have been encrypted... Your personal Id: WHA5BCORWkxUUDpryukwCR7sQC2bJfe1mCXODthnkn3iHLq8Bz9BQXbGEN/C13cIby1QLM24OuskkJM+39pv5VaQFPiof5Ay/khdqA+239FbQ4HMncFJAA7ONG1eUYoLAdMLQjJ80B+y3DxyywdByL8/gELR94NSJXAJkKyFFTJYWq86NjGhTrWkOFpMBFimGiRsbf672m+h2cupF9DtLp+2Sp9Slf/asRzvqirJdN4aPtKJLkrPSNgqWRGEmTlY315sKXGiBKiLWL3ze/Tp0UH9TYxHxk1JWA7JB+Kq5S7RoHJaqyjR5cMYv8HAgXZdkEuwFoQ1Yj1z0ddAxLvRDA++ZW4tVVNfMzgwNTIyNl9BZG1pbl8xMC8xOC8yMDI0IDU6MzA6MjkgUE1fV2luIDEwX2JsdXQ0X2VjZmI1Yzk1ZDBmM2QxMTI2NTBlZjQwNDc5MzZlOGZhNTI0NGMyMWM5MjFmNmM3YTY5NjNlOTJhYmFiNDk0OWQ To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Emails

[email protected]

URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Extracted

Path

C:\ProgramData\README_1299646.txt

Ransom Note

Hello! All your files have been encrypted... Your personal Id: ib/gQWCNaFNZZIlxXM7uPcg0X0mTjmYNX3DNzU1Er27XHA2yveT6NraxoIchnMkZrmLAS6HBaII3/CK7rtA6qpocshBC5HDwmb7TBr8Bxoz238UhpnX0WWzfZr8I8ICMwAHXeMlBxjq+uy3ja0wcML4z6+OBKxt748rWI07GjwDIAF8I6+ROL3Lev1UWF2g6W6b0FUu6W5z7y1aAmLVl9S86WYRA+4osI0FCXDZ9X1YvQMpc85jyfrdK8ene+z1bo3B1WerEtJ6+aDs5w7jVDlOboo5SJrgzKg+6jJFCbz85HyKQ2HrfT492wRfVZ5C5GCFmOL+E6PZ0atdmPiitUQ++ZW4tVVNfMTI5OTY0Nl9BZG1pbl8xMC8xOC8yMDI0IDU6MzA6MzEgUE1fV2luIDEwX2JsdXQ0X2VjZmI1Yzk1ZDBmM2QxMTI2NTBlZjQwNDc5MzZlOGZhNTI0NGMyMWM5MjFmNmM3YTY5NjNlOTJhYmFiNDk0OWQ To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Emails

[email protected]

URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Extracted

Path

C:\ProgramData\README_0629770.txt

Ransom Note

Hello! All your files have been encrypted... Your personal Id: bDiSSX4idnedDmKO7lF8Q2HyHloOqZYiApbDIU4a2Nf069OEIHo53td3Yc6HXYcDHRAYZCxFyAb+6zbbZj8g+WwVpInbsYfJscPsNR8AxRl5Pupunc+9Thf2aAZvRduYFYYXL87mJxMNCkApOelWTpZBM6sYTCjahG2zQEfQNPKqVIpVLDeJ2oE8x2ZDqiTcEO7p0jqfCzkSQVhtuDw7RD6AD/X4hCtp2JaGynXQOr2VpeU1m7kNSMT0NceOxYpI/Wb3kJphgMiLov+EMJ6JVUHIeo0StHN9gf/wgamS3eszzPO3xFVx6RQ6iyVSeJvm1J7n8+o4Kg2/igSt2pNVCw++ZW4tVVNfMDYyOTc3MF9BZG1pbl8xMC8xOC8yMDI0IDU6MzA6MjkgUE1fV2luIDEwX2JsdXQ0X2VjZmI1Yzk1ZDBmM2QxMTI2NTBlZjQwNDc5MzZlOGZhNTI0NGMyMWM5MjFmNmM3YTY5NjNlOTJhYmFiNDk0OWQ To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Emails

[email protected]

URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Targets

- Target
  
  38f792a175c366b53407143da8c13ea2f1d3600b00ef8e8f6ec7e0ef79dcb6c0.exe
- Size
  
  244KB
- MD5
  
  bae6c0faa24fda3118cfdfc7f3f2553d
- SHA1
  
  e6592d7122a73fda5f9cd98b5e49d5d80f0fe4fe
- SHA256
  
  38f792a175c366b53407143da8c13ea2f1d3600b00ef8e8f6ec7e0ef79dcb6c0
- SHA512
  
  e400e14ba2e16d4ac197e2d99407142a48d3a8027faf12d1268c2f8bd293a00dec03e9e3d760e246a3b538b75754488e2a0e2d074d2f11fa775cfdd99b8ea0e9
- SSDEEP
  
  6144:8+jn7PfWDycKPudCuS74kvw6Mr9zmduLn+70pKXQl29ur4cm:8+gycSzre2q+70pKXQl29ur4c
Score

10^/10

chaos discovery persistence ransomware
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
- Size
  
  18KB
- MD5
  
  50f4469ad4b9bf352c5c9604ef913ccf
- SHA1
  
  5c82d5155c9151115346efd94e1b1da34cced32c
- SHA256
  
  3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7
- SHA512
  
  ff92408fd18d0a7563705e606a9534ebc47f6e85b3dd2aa439da58f85c32c8107dd2d5985aca91d7c0c3cb604ef7d5758469e8efc77d033a66148b3a8731be3e
- SSDEEP
  
  384:vRHTIhveCy+RujQKK7qbqtLnWp9Iggf7W8:vRTIry+Ru0KKObh9IggfL
Score

9^/10

defense_evasion execution impact persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (1382) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Boot or Logon Autostart Execution: Print Processors
  Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral5 behavioral6 behavioral7 behavioral8
- Target
  
  801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
- Size
  
  18KB
- MD5
  
  f31d6529ff4ad98053f9a8a9832f95e3
- SHA1
  
  abdd5ce48e2d11a4c82fc90d9e9beeb14b437cee
- SHA256
  
  801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e
- SHA512
  
  25e452098a46f3ddf3cc6e268a94fa998d7c0de907741f436d10caf7be8c038163dc3a0f51516f3b4072085951eb5e44053b2e9f84a532c152bbf813a518a755
- SSDEEP
  
  384:imwIxiBDXgRUV7JCGgmxt8mvA4ILbfNGHEDPUw3rXTXLazK:i6UVl7twPbfg2Uw3HXAK
Score

9^/10

defense_evasion execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (495) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral10 behavioral11 behavioral12 behavioral9
- Target
  
  be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe
- Size
  
  244KB
- MD5
  
  751df604e41a7e473fd3817b4c16d5f6
- SHA1
  
  30d6eacf97d1a5e6ec191f75a8eb16d9da54f218
- SHA256
  
  be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e
- SHA512
  
  6c546d46e6b7c0adffee2bdcf2b85b786b57fbf73c4213e39bf54e4ceaceaa5f143e0e9d57d0398464074e46c0242bd649fa80615d1dc3db32f08b061a7629d7
- SSDEEP
  
  6144:8+jn7PfWDycKPudCuS74kvw6Mr9zmduLb+70pKXQl29ur4cm:8+gycSzre2q+70pKXQl29ur4c
Score

10^/10

chaos discovery persistence ransomware
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral13 behavioral14 behavioral15 behavioral16
- Target
  
  ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
- Size
  
  52KB
- MD5
  
  ba9210de03de945901f02792f7994871
- SHA1
  
  20c4569cbb6f2650b02f6a5257faa8a8dfb298bd
- SHA256
  
  ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d
- SHA512
  
  277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0
- SSDEEP
  
  1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE
Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral17 behavioral18 behavioral19 behavioral20