Overview

overview

10

Static

static

10

Discord Ni...or.exe

windows7-x64

10

Discord Ni...or.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DiscordNitroGenerator.7z

  • Size

    42KB

  • Sample

    250203-yexhdaspcp

  • MD5

    bd90722f26e34bb23e435f2a241f0315

  • SHA1

    f1b911c596a8f1849a7cc3e18ba6f87a95b27f3e

  • SHA256

    5daa764323048a42c04c4b8c5ac02af011a6d05356600814873e4fb04380b72c

  • SHA512

    7db29f76c2e2e7146f4109bf14f7d15ed15148ab7c3adf44abd149e4088dff3f32cec64c457856f514912416ff2d78f36105ef3f12ceb86dd122ceed3b43ae42

  • SSDEEP

    768:CLNLp8jFQqUmTDTiOGSwtz+ePnMMPL3++34wFNbXpNfkJNAoB2asCavCaSV/GMP1:CLJYFcCDTiNtyePnMaLN4wFjNLCaCeu1

Score
10/10
chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_me!.txt

Ransom Note
Hello. All your documents, images, videos, databases and other files are no longer available because they have been encrypted. There is nothing you can do about this, because if you try to remove me, the files will be lost permanently. No one will be able to do anything except us. We guarantee the decryption of files if the instructions are followed. To get your files back, you'll have to pay. We only accepted Bitcoin. Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. These sales websites are secure and secure: Coinmama - https://www.coinmama.com Abra - https://www.abra.com/buy/bitcoin Localbitcoin - https://localbitcoins.com - - - Payment amount: 0.0013 BTC. Bitcoin address: 33guPaiB1te5KSXMoAFxcCAeroGwrCKzo5 Then and only then, send an email to [email protected] to get decrypter. Do not download unknown files from the Internet ...
Wallets

33guPaiB1te5KSXMoAFxcCAeroGwrCKzo5

URLs

https://www.coinmama.com

https://www.abra.com/buy/bitcoin

Targets

    • Target

      Discord Nitro Generator.exe

    • Size

      118KB

    • MD5

      79a27511481a3ff98353cc18247555d0

    • SHA1

      97ad6646d0ac8899a76e02820d57efccfc101da8

    • SHA256

      51f67144ecd073fa1ebdcee8005a8c8d0f4281645866c13aef5e4e60591f9a2b

    • SHA512

      b334158dcb5b7a3d21d5805088e6a13afdc64041d0d3dc5ce04e71a00ede1238f293109f9f9c6d64a59a53ee5263a2c0880fb26bba84e4fd7ad1da5b75d24eef

    • SSDEEP

      3072:NoBng4r9sTE6T2DtXRTBQeqbJWREG8HuRAnNRZR:Chr9sTE6GS2EV1nF

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Chaos family

      chaos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks