General

  • Target

    Chaos-0b.zip

  • Size

    2.7MB

  • Sample

    250404-bwjlhsxwgs

  • MD5

    93e0837c5aca573e12222c1cb191f119

  • SHA1

    b2d216ab16882df2cdaa91bc4c4ade72714fc2d8

  • SHA256

    fbce0282ec9276da79d35421a6de69e675ce79d4ea00f1d17891444cee0e7b5f

  • SHA512

    b24d0c4264b04aadea41dde632e60de88fce2d4fb4a196ceb45dad9704ce6e62303c3b9731a3a3a98c8787893f6c03e65288331b638a92ca1889ababb5d106a7

  • SSDEEP

    49152:spvHqguIOp3qFmjlMeR4FaWlyhY/PeVXWDIMB80M8BVmeMMKKPqtE60zK3KnS/mj:AfqPIOtqcjlqaWwhY/PeFRMB8+BVmeM6

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ ME.txt

Ransom Note
---= GANDCRAB V5.0.3 REMAKE BY FLOWERSUSER7213 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** **** This malware is given for trusted users only and this is malware and ruins your day! >:) ******** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS AND YOU CANT USE IT AT ALL PLEASE MAKE A SNAPSHOT AND RUN THIS PROGRAM!***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .TUSOSOIN The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/34afc7c684c32ae3 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAJAlV4LM0r1mdKJe7TrSYzWg1pIbZuxvwhUQOpudTDF53oc8xWboGzrxsWibIiyvIQcM/VggX7NB3oFKQybUpzlBNz44BcBIlYS9tZasuQ9jTohuwgs0ac2yhyFN7vP4eiFk9gvU5veaWJlEJME+ki2skQD/o26yNNZXZAgOtPX1JLmn/p/cOQ5eLLrgdJJ6wR0D8irpxydJpTto+/S5dmzS4O4RwEwI7/tK6nWV3O3zWe2n2dn9GwFS4oWjWr2nDRntyE4kjlaij9X8Ix9ZxkcNM2wUsj5Ch6B9c16yLaQ21Kt4Mt2p/HP0ZXiOH7xSiI4WKtL3s7M7+dskL+yvDamVYMS1hyJSbLdsPiD2NNcizTszQ5s5VFAoA4AmUPCiwFnmD/KKS8m9iftJazHt7KTu7ogdXnvxAN41+umsnqmpUOcOnHatboDEOyhOz6MidUxTszUYi7t70R7T/1DgHQ0YwjL8epCFvv2sPUxJ9YTeKNPcO4vhuCbgk22vnng1gF25CPdS7ssJLPgKL0fsfZNwAUjJKeP9AFCqy07JB9VY2qlhMJoR9Tq1bB4XICsMRIl90dxxqQnrJol9BqgKpvMkioqV2U/3kuPxOFKclQ/5+2wLTnBe0oHyHSxcmx9XWPZPGDden1JjdJg8jFDUaDX26xAY5ezZNyh/HcwdkcBsyqS2MF2T3QbBHKv6PUNpwdiSXfWW4v7okGvADFxoqDi0tov5Gzkng1NO/0lQlgMDGS9Cee7BcSm0Lv/w3zV3s+/fMjPpW84EgX6KwpRvFw+0/Yk3uHt6rABl78w4Qha6lG5j/C+nI9wikWhEHsE7umkDiSnr8EXa1ZBMkgLNRKs50oulAdjZFz4/yo27jQahsI5Fkaz0h+8eCkkbgsmasjb+7i8e70QPSjV8QZh999KAmdAZckRpba/pBOla7drHuTT/04EjYZJSi1FMcdPCCGhJ1USnETjPFDfbyuTMSVrpLwymW8Z/7XQi0tiH1t6QbHQO+DZ+SY84Roi7jlPTw0Pq33vZ9iyNSzA0/XnNmajFK4LWmvSi/SoFEYXOTePRxVGm454MkrBtXzhc/G7Or/RXl+K7hEXx+CcK/cfXqph300b8OQbd6qoEOzgUpTcDg5F2TexUrVcDlG+j+EWIKVKUwmCKMpROtUbnRngb7qEjRDWO7pKrRVgwgjn8L1tgQ4S0Y0tm812n5YwVHpiWv8PeIQd3tqXq6v4c8ffEanCOSUjhLhPKDzbsFRL2WtnJ8e+HPWao7plS5ZMd39r5AAwTLtK4AA+MwoCf3h/S7bXFUqipcoKdGoL64ObfP6sDYyRiiURlIo0NreHUx4WtFLu+dk/WbsLVzF89F+v+wYQUrPAb3H54qiS4FOAzTxKxiAYyUUpyFTOE+ajuxepeVVyO0qI7VzWp24ep9BYZEoNVyDuwijmlDqdGSbo1afQ/Pjm2zNxoZQBAtfL2G0bJ73cfoIFBStYhDrFLbrODDsFgf4bDhFQSzLImBKzPUXdqUHrOo2LpBP8LCZ7JpN88Q2Ib3AgwAMAyzv1X7JiqnvF71ytrxOAP/jNT9wbNofWdWqFYNa5sJmdxs1MaBnpfnQjElmJ9Ns9spKrQ/oJufKrNcDYFnLlw3qZ4huzSdMRliaNSPFuDeiPNG6XRkKdgmBpT2Wa7TFLBdmF1WBUbfwmE4BN8rFYMZpjUJkNqOBgzoBfTsiDmO+cXAekUFaXtKfUYLavvWWAC9yk09FyOKe8j4e4uxoGfIjr4LlLEFRF7ET9HBCU0GYF48judY4sdSkZv9qd1QxhzsCZo13ei7fpKqlzuHubnlnLVGhVVEeGGP7iKS3lU3TTVxzq/3C7vJf66UW7IkKwjERJQuGZiWeUsW2TIe3zJTcC+evBT+EHbhWlnwcpL/jLIdv2fecjBZxTKaPGk7N5I4qSDUhFWCydfbt1AGcVdbM8bYwl/gf7iI5df/7/WWv29iX8Ukf02reLIfTp1SXIhcusZmv3gwbIAZm2aBGhDHgj23vkJ++HHFOGX2JLxd/LJrTsVyd5LaBi5vEawPIDpwaiAnh719pD81JY7s4nWNe7DIr33/pHKutIITZB/kUjb4jDwYZH66K3X3UXSqUZGAZykVh1YxBX5b9VJqeaE1sgg+2KT1KpTujmaHaDkKy/ceevVDmlSTIw66whvMqFc/H4MvBsQ9DVyTq1xk2QNh8nTC9s5Ih6Ng2io/Ox3WsUVeBT+6xljP3AW1P8= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U7OxBlagOWntiDxwOqf191YnvOeWPx5OYfxd1ZZETpJRrHZy7mhWprezTFGHwx5FBJjzntMK77r6TUHaDB7iIpJD8/bFAv/9mGGoBpAZLv6jx/xY2WXxP5KAiqChSETkAroAlbYGONOX07mSbUAkaXQIbYOWrsC3YZtYF6TRxoEpGY4+2+2ASVK2ZBFV7gPZuRPcDCJ/2PyMLkO0MLEPxIodLAmTS5xpmtgoVHZkP7o/WPrX1sJzwjbqjdxAK3gtl5hnQ91rCBkxIg6GDIYr831oSnXFTA/zkeYtFNi0qcun/bqr5+lisrEkkRvB5+L3/2A2GesiGohYb1qBBnbt+BHVEc8b+SdG4o24NqaSY8FyH4za2ROitJRvTQAqbVO7JIAJppFqwNUoAxPBnKo+CO5fAKCfjGEzg6hrLw3rxAZKww7xZinpCRFF3uPLaOb91wsZMHQTRkOKPzmU1gPgG39UmRzflSzzQUxni7JolpqwqXJNVdfpIzeqfBkcecB9P3ZNnH9VQ2fCiqYREqftdUj3BddMYJGmHssOIL+SRQ== ENJOY YOUR FUCKING PC!
URLs

http://gandcrabmfe6mnef.onion/34afc7c684c32ae3

Targets

    • Target

      Chaos-0b/Chaos-0b.exe

    • Size

      9.1MB

    • MD5

      ffdfb4889a8af7fee5c0d60731b3ff1b

    • SHA1

      5e968b7cf87b36bf705882fb13e4774ef38f2386

    • SHA256

      12cf510444fbe31d26b0d07046827713acff59310a677041d10a38baa5475bb9

    • SHA512

      d9f8431cfe9e9999d1ac9957c99b18b45d38af2af612fe32b4c4573468e829b67619083e5b5f777ac2284131b38c0df973501138bb56b5e553303eb78ccc1073

    • SSDEEP

      6144:ar9SUF0Gbetbpf5+hoIFZ/vNmjLPVwYpE/LpbueRsdxIh7m5hfLPeov23vWENOSe:U7yw2

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Chaos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks