chaos

Sharing

Copy URL

Twitter E-mail

General

Target

reanimator.zip
Size

43.8MB
Sample

241027-zwrtwssdmh
MD5

165d14a5ae0d63c7e52ce7b74a934a61
SHA1

3ab53b49f609ef8aaffad44dcf47ce0811b46188
SHA256

a904e1b14be7d43c7ce028aa17d1404e1f964e8285360745ea25ab041ef7cfc8
SHA512

16652f9a9c7a4bfd35edd21f6f06031be3e9ee0a9f4f87e68e648ad0b9e601978d7213dd7950cc6e0114cc768bd196c50c75eb7189fc03f76cfdff989e44ad64
SSDEEP

786432:jcbOvONv0ydn3wwkIjGwvQ90mI4uIkLOBFUcc8tsUjlxlroXJwBHP+lloLH5u5MS:j6OvORAn2GEQ9nI4zOv+N8JQv+Hr04

Malware Config

Extracted

Family

stealc

Botnet

tale

http://185.215.113.206

Attributes

url_path
/6c4adf523b719729.php

Extracted

Family

xworm

Version

5.0

takes-sbjct.gl.at.ply.gg:41371

Mutex

MxqHSXsrqbfmnzhV

Attributes

Install_directory
%AppData%
install_file
WindowsLogonIN.exe

aes.plain

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Targets

- Target
  
  ReanimatorStart.exe
- Size
  
  43.8MB
- MD5
  
  2d725ed14a2e1bc2de95468672e1241a
- SHA1
  
  4f6e4d1e348e0e5d459406bdf7c6fae7e4255569
- SHA256
  
  dd0da3745cee6d147c9c4f276760a31379b0896bca040ecf47502b30c8762467
- SHA512
  
  341712bc64d220801914de1b564508a118b28e490fdc7634caad2a7a21187992adca06dd57de8d1247da3eba3926aa7321b763e93803e110ebc78bf1144f76d1
- SSDEEP
  
  786432:hmT6Pe1ewcRTpMgKq94uRotrkY+kmY1O7TmIeEZsmxnTZlsPl2rn3UxL05BBor8z:hQ6PeQWFO46otoY+3En07ilS3U9fS/
Score

10^/10

chaos dcrat redline stealc xworm tale adware credential_access defense_evasion discovery evasion execution impact infostealer persistence privilege_escalation ransomware rat spyware stealer trojan upx
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Chaos family
  chaos
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Xworm Payload
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Drops file in Drivers directory
- Modifies RDP port number used by Windows
- Modifies Shared Task Scheduler registry keys
  persistence
- Sets service image path in registry
  persistence
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1