Resubmissions

12/03/2025, 23:20

250312-3bv8cswyaz 10

General

  • Target

    Covid29 Ransomware.zip

  • Size

    1.7MB

  • Sample

    250312-3bv8cswyaz

  • MD5

    272d3e458250acd2ea839eb24b427ce5

  • SHA1

    fae7194da5c969f2d8220ed9250aa1de7bf56609

  • SHA256

    bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

  • SHA512

    d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

  • SSDEEP

    49152:dSrGy+kXRl9cIXjRG8OzbgFSXACZ4UL238tvVZkKNDN0AaFlkUSan:OZlyIzRXOfZv4UrtvVZRW6i

Malware Config

Targets

    • Target

      Covid29 Ransomware.zip

    • Size

      1.7MB

    • MD5

      272d3e458250acd2ea839eb24b427ce5

    • SHA1

      fae7194da5c969f2d8220ed9250aa1de7bf56609

    • SHA256

      bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

    • SHA512

      d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

    • SSDEEP

      49152:dSrGy+kXRl9cIXjRG8OzbgFSXACZ4UL238tvVZkKNDN0AaFlkUSan:OZlyIzRXOfZv4UrtvVZRW6i

    Score
    3/10
    • Target

      TrojanRansomCovid29.exe

    • Size

      542KB

    • MD5

      9f0563f2faaf6b9a0f7b3cf058ac80b6

    • SHA1

      244e0ff0a5366c1607f104e7e7af4949510226ec

    • SHA256

      a8054338891db7231f9885ca0d3bc90a651c63878ff603ede5c3efafa7e25254

    • SHA512

      40cdf4c754977e60c233417e42a62be02f9b5bfe239c0378664c28757ce6ce1fc3b91b83d6ef6bb184c4d831761f57a07255526d12a3a955c3b473bddb97f4c9

    • SSDEEP

      12288:xBv407Pg09KyclZbmoYsp8L/0C7Cvb3p62STTzfGGz9oSzrfI:xh5rgjycXbm0K/EzQl/xDrfI

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Sets desktop wallpaper using registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      readme.txt

    • Size

      285B

    • MD5

      f4f557db9c615c87e524802af8a9992f

    • SHA1

      692692c464b2a0229c697534c97d391179c5b646

    • SHA256

      17976e8a6952b0123b729b50b3ad981cbe97083db9de66a37eb6f8decc39b76e

    • SHA512

      7e8b9f2c01edf81252b722e2f9fffd1418150e9c5d6c322645bdc675561bad5b204c93ee5484b464c27a2d56ce86abc00152d32609bfd5f8271c32089b12d4c0

    Score
    1/10
    • Target

      source/Bat To Exe Converter/Bat_To_Exe_Converter.exe

    • Size

      444KB

    • MD5

      76d5900a4adf4c1f2ab8dbfd0a450c4a

    • SHA1

      6177a27416519564ecb5d38093d61c9a81d3c290

    • SHA256

      7adc1f7ff040628a600f99465bd70e71ad83fecfe60b0f1dadc84b5d262ff350

    • SHA512

      286b05ff09d4e85856c251d56902486738d9b2457d9a56ea8a449195b349f2718816099f4602efba88dad592dd6cecefcd0748382888c3026dd585b3e46f0c6e

    • SSDEEP

      12288:iYicHMPMDp8WrZtzlqQMB/FS/CiUF7RAfoSBjF:viuMPMDp8mtzbMFFS/CzKF

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      source/Bat To Exe Converter/help.chm

    • Size

      14KB

    • MD5

      ffa8c49b21b077b0dc4b51a1f6f9a753

    • SHA1

      5fe5b4d96b266b29bd7aaf41b32394f58e7416e2

    • SHA256

      00037bfc41afacf262afda160e17d3cca33606276324e99bbd93ad1207e9a7c0

    • SHA512

      751eeaef0828ec4416569291ebf3f434208ff43405221339688ec2535cd5947d58ad4d2fd8ea073aa0554f712783f5ec8d5f42dfc4ee935d2905bc541ccd0a9b

    • SSDEEP

      192:TQ3bVqwNUWqaGA9yb6OmVbelnchhvm2I2S1O:TQLbNJqHA9YYVbCahvm280

    Score
    1/10
    • Target

      source/Bat To Exe Converter/settings.ini

    • Size

      242B

    • MD5

      d3be6c4edea45f5a9a766dd235e4c23a

    • SHA1

      bc3f164c51e8f9b223b2992688aae2d492a18353

    • SHA256

      236d6136a9ea4241facb7c459bf0bad6d1fa572d436e6e73c44884d6126e5ab4

    • SHA512

      bd2f5cb1316bcc64bbf30b2828d497157129e2013a529be591733a5c900f4d3450e97eed3ba75f057a49884cdb9c0a72dcc2ba5768db33fba7ce9236f5cea6bc

    Score
    1/10
    • Target

      source/Cov29Cry.exe.death

    • Size

      103KB

    • MD5

      8bcd083e16af6c15e14520d5a0bd7e6a

    • SHA1

      c4d2f35d1fdb295db887f31bbc9237ac9263d782

    • SHA256

      b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

    • SHA512

      35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

    • SSDEEP

      3072:H3kyzZr9SE9RmXjSPjXvyT2cQf8WhjTRqvM:N1r9SELZDv25iVly

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      source/Cov29Cry/AdvancedOptions.PNG

    • Size

      16KB

    • MD5

      c5f0f9ab684461c635f551d045e6caa5

    • SHA1

      d68eabb18c68f34abc7e91b8538c445738c619e1

    • SHA256

      6c9eb2da924df69bcee50c50f51a67c66321eaf1f453e4c864f037d31e08cf93

    • SHA512

      f4ecaac100f6901dc1172fec228f48c5f73d828845dd579059143a0099ca3f5df17789808953b4145d236470acde80811d9c7e89b05dd773e9c2bdcf6142df42

    • SSDEEP

      384:xaeNJkobdwg/PB9IpD0xt7ZLyV2EvpNm9du6TX15fT5Vj77tnMhn:xtJXdwGHFt1yDCLvX15fT377KJ

    Score
    1/10
    • Target

      source/Cov29Cry/Chaos Ransomware Builder v4.exe

    • Size

      550KB

    • MD5

      8b855e56e41a6e10d28522a20c1e0341

    • SHA1

      17ea75272cfe3749c6727388fd444d2c970f9d01

    • SHA256

      f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

    • SHA512

      eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

    • SSDEEP

      3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

    Score
    10/10
    • Target

      source/Cov29Cry/Cov29Cry.exe.death

    • Size

      103KB

    • MD5

      8bcd083e16af6c15e14520d5a0bd7e6a

    • SHA1

      c4d2f35d1fdb295db887f31bbc9237ac9263d782

    • SHA256

      b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

    • SHA512

      35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

    • SSDEEP

      3072:H3kyzZr9SE9RmXjSPjXvyT2cQf8WhjTRqvM:N1r9SELZDv25iVly

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      source/Cov29Cry/FileExtentions.txt

    • Size

      1KB

    • MD5

      189eeecf41700ae5ba9ae1a4a1c49e9a

    • SHA1

      79dbd0e112eb3a184643dc4d9b76356c272fbc6b

    • SHA256

      31fd1820ee3f7aad61f1f99e944d2df2c5406f033a661ea98e07c389d6334ba2

    • SHA512

      37973f4103ee102d0fdb1e1d6a820be41305dec6293d6d73b55cf34852533392e5aa5c38fd6ed7554fbfca7790e2670d0799774ad64e23c816a48592f623be5f

    Score
    1/10
    • Target

      source/Cov29Cry/Options.PNG

    • Size

      47KB

    • MD5

      cdd3a90a2f2ab81410f356dcb38fc17b

    • SHA1

      66c451a8cad0def71e1216e66741c79e908c3304

    • SHA256

      7b288d1ad9b942447462f51c72fd30e050934240e9f5efa85e73f4f64c3ac1a9

    • SHA512

      90018991d0127a434758d37d41afa047b47493c4a7d503a8c185e569b52ebf3f10b1f899021c946bf599f623db2f6e11f0765f574573ad55fbfc86c776ca3928

    • SSDEEP

      768:mU3R21KunK9evX2uiTYb5a4Iu3geHYeP3aFH6ERIBNhfMpnxx6UJ:mU3k1ZX2utnROINf6bRJ

    Score
    1/10
    • Target

      source/Cov29Cry/bg.jpg

    • Size

      30KB

    • MD5

      108fc794e7171419cf881b4058f88d20

    • SHA1

      dd05defd9fe5fb103db09eb2a3bb72c5ed7d8777

    • SHA256

      741d2576009640a47733a6c724d56ed1a9cee1014cde047b9384181a1758cd34

    • SHA512

      3a1a22217ff636e48612ff3b55ac6611eda6ae0b5a1f4d693440cbd6aef84d6657d3cd076ca828ba828ee556ab64e5bdecb37c1d682590877f3b23345baeb0ea

    • SSDEEP

      768:VjjisU9FR4GNO9OCo0/E9bx0MpO5oO4A2K8iYB7:Vjjiz9FCrTGfmoOTrU

    Score
    1/10
    • Target

      source/Cov29Cry/covid29-is-here.txt

    • Size

      859B

    • MD5

      0a9f7b91e7c6beac740c17951e7feecb

    • SHA1

      82546b0a0d2cf5461c492e4d51767d06a1355440

    • SHA256

      be6d0b63a86a838d3252ce3ef015029499af4e9f0f8a0e04062f096368b58b8a

    • SHA512

      04dcea6aca102d9780dcad7f56fd560fd325fe0b9c3483fc16b88b163221d9ed36c99fee65bfb9ab151dfef092445c8241a36e4bb4bbdeff7098ac508a18b220

    Score
    1/10
    • Target

      source/Cov29LockScreen.exe

    • Size

      48KB

    • MD5

      f724c6da46dc54e6737db821f9b62d77

    • SHA1

      e35d5587326c61f4d7abd75f2f0fc1251b961977

    • SHA256

      6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

    • SHA512

      6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

    • SSDEEP

      768:/PjjisU9FR4GNO9OCo0/E9bx0MpO5oO4A2K8iYBo:/Pjjiz9FCrTGfmoOTrD

    Score
    3/10
    • Target

      source/Cov29LockScreen/23311_lores.jpg

    • Size

      30KB

    • MD5

      108fc794e7171419cf881b4058f88d20

    • SHA1

      dd05defd9fe5fb103db09eb2a3bb72c5ed7d8777

    • SHA256

      741d2576009640a47733a6c724d56ed1a9cee1014cde047b9384181a1758cd34

    • SHA512

      3a1a22217ff636e48612ff3b55ac6611eda6ae0b5a1f4d693440cbd6aef84d6657d3cd076ca828ba828ee556ab64e5bdecb37c1d682590877f3b23345baeb0ea

    • SSDEEP

      768:VjjisU9FR4GNO9OCo0/E9bx0MpO5oO4A2K8iYB7:Vjjiz9FCrTGfmoOTrU

    Score
    1/10
    • Target

      source/Cov29LockScreen/Cov29LockScreen.exe

    • Size

      48KB

    • MD5

      f724c6da46dc54e6737db821f9b62d77

    • SHA1

      e35d5587326c61f4d7abd75f2f0fc1251b961977

    • SHA256

      6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

    • SHA512

      6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

    • SSDEEP

      768:/PjjisU9FR4GNO9OCo0/E9bx0MpO5oO4A2K8iYBo:/Pjjiz9FCrTGfmoOTrD

    Score
    3/10
    • Target

      source/Cov29LockScreen/Cov29LockScreen.vbp

    • Size

      633B

    • MD5

      420983daadcf363dee597da26732659d

    • SHA1

      501a4e5714e301361aad8c3ea8c5861111956478

    • SHA256

      7008899f61b246889060a2032dbf812ea579f147880ab8f0ae7db67729d61090

    • SHA512

      98f7026010d089fc74b0edf6756d7280aa03ab82a5c10ee7848d82d81fae6f9df23569615ac32b816e550219b761d450185e66d688eb498cd855915927eb3e49

    Score
    3/10
    • Target

      source/Cov29LockScreen/Cov29LockScreen.vbw

    • Size

      45B

    • MD5

      4bc79d0f731d9f8a6a7648f3f8c7b2ed

    • SHA1

      e1f4ab69a394f78de0633ed8b542e4f98e3b1458

    • SHA256

      aa198998686412f07e422127bb3f4a1a1228ce62204fc8f5a43bd6863121de65

    • SHA512

      959c87b708ba8ddad4252a35258733c07f1fc1421e7f90abe01dae52d6455303b10c420074bb409ffd7a54617b9a222e7939d511d807f012fc72c0b6c1751d94

    Score
    3/10
    • Target

      source/Cov29LockScreen/Form1.frm

    • Size

      1KB

    • MD5

      7bc02ce2aa937dc58733a326b6d6df4e

    • SHA1

      b86ff7bc9619fa720629ded50bef86eb23f66b0e

    • SHA256

      b1c2c1a22a0081fc23b8c9298ef088b0055b9f12a57b501450cd2b282561e784

    • SHA512

      232cae0a89c81ed31225a959562b86b67ca7c4e47bbafb2135e39962b85f18aa9f36a2342094eba48b5c4ea2018d5457f1a90054a27a4325f42d7ef811e46905

    Score
    3/10
    • Target

      source/Cov29LockScreen/Form1.frx

    • Size

      30KB

    • MD5

      654d48ddcf505d1b7c31817d9b8a91f2

    • SHA1

      3830a65ebbf9bb716fbd99da06eddc1da8f2bd54

    • SHA256

      458f33b650a04abbb49bda25ae5a2d7cee6ae26f6450a061c5e8012ab9af16d0

    • SHA512

      7db2fdd00f7deba41e396ee83016621a7937e7438f4e4aa68045c1b7871c0601ad503f926fde054071aa97cd616ff8aadf4b73a09d50eba9e53e82da0e17e0c8

    • SSDEEP

      768:ZjjisU9FR4GNO9OCo0/E9bx0MpO5oO4A2K8iYB7:Zjjiz9FCrTGfmoOTrU

    Score
    3/10
    • Target

      source/TrojanRansomCovid29.bat

    • Size

      1KB

    • MD5

      57f0432c8e31d4ff4da7962db27ef4e8

    • SHA1

      d5023b3123c0b7fae683588ac0480cd2731a0c5e

    • SHA256

      b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

    • SHA512

      bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Sets desktop wallpaper using registry

    • Target

      source/icon.ico

    • Size

      147KB

    • MD5

      c2c802b751e5a25b524b9369f583c371

    • SHA1

      eaa3ed8f1c656c3ffb0a434241e65f2dd181ba4d

    • SHA256

      930ab1d5fcd9864c45ad88911b2b13d84b379d0081dbfa114089eb4750c7d04f

    • SHA512

      72716b0c22b82ae3e38e21ad8fbc3c738da8bd3ac437e6ca0b022e0094c1d13a2f65f61e6a5c7fad6ee3fc6240990caa73cd8b0e53cf330a655457c6a2b0c37c

    • SSDEEP

      1536:V/6qKJHV8vj9bPnNfTiReHBX5UtrODdbM9kkDyTTwZglEMWpPDelGGKHgXs3:CqNTiCBpoiDdbM9kkmTTwFTAV

    Score
    3/10
    • Target

      source/icon.jfif

    • Size

      8KB

    • MD5

      a09e22b372ad74b3a504798b7d3f87b0

    • SHA1

      3536de7ec5055eeeb7e4761ae4f8f624dc4dc436

    • SHA256

      ea253bacafd64a86055f8779f96d71801ed171a25e6027f7f0565dcb05bfe1b1

    • SHA512

      829316d6e7dab8b0fc7a5e006d22e284f136b5db19565c5cfc4c0b17abd85c5155acc2dfb64f02fec07c6d5fd59530feb6644b67499e024cd234cb4996d0a1bf

    • SSDEEP

      192:6grmvvWkxFC6jpnDA2elpwYnxjhxK6TH41T7OSuf1sdCG:JmHBxFCyTImYnNTYRFuKd7

    Score
    1/10
    • Target

      source/mbr.cpp

    • Size

      365B

    • MD5

      d20eddecb5625b60d61d80c067537188

    • SHA1

      8418cb3dd155a9399e7be92da3b4fcd50b559f99

    • SHA256

      45eaa30a90c739fd9fb32d59b29d3e7cd8871431670a3e64d6c34fd53a08f979

    • SHA512

      a0f1578adbabaa0cd5567678ac382637ea078070ef7f567251374ff7f1d1e3e2c6d108471a0cd6aeeb47058d06e0c2bafd0e8f487be04208e44311e478c1f980

    Score
    3/10
    • Target

      source/mbr.exe.danger

    • Size

      1.3MB

    • MD5

      35af6068d91ba1cc6ce21b461f242f94

    • SHA1

      cb054789ff03aa1617a6f5741ad53e4598184ffa

    • SHA256

      9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

    • SHA512

      136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

    • SSDEEP

      24576:LT3LlvRiQNGYXCI+b1w30WgvZef6YhuQ5O3h3JMtbu:7XNGDIu8NyMtbu

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks

static1

upxchaos
Score
10/10

behavioral1

discoveryexecution
Score
3/10

behavioral2

chaosbootkitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral3

Score
1/10

behavioral4

discoveryupx
Score
5/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral8

Score
1/10

behavioral9

chaosransomware
Score
10/10

behavioral10

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

discovery
Score
3/10

behavioral16

Score
1/10

behavioral17

discovery
Score
3/10

behavioral18

Score
3/10

behavioral19

Score
3/10

behavioral20

Score
3/10

behavioral21

Score
3/10

behavioral22

chaosbootkitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral23

Score
3/10

behavioral24

Score
1/10

behavioral25

Score
3/10

behavioral26

bootkitdiscoverypersistence
Score
6/10