MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a0f1e0ef771046285f78b7af20aac3384b521dbbf6bc69ca6d559cc15d9f97e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Chaos

Vendor detections: 15

Intelligence 15 IOCs YARA 11 File information Comments

SHA256 hash:	0a0f1e0ef771046285f78b7af20aac3384b521dbbf6bc69ca6d559cc15d9f97e
SHA3-384 hash:	3c07cade76ebe8923e8054685fac562c21d4cbe60bfd845d92f802861edfaa5d3b47bc160712c58bd9e3dea35b0de2c5
SHA1 hash:	f277abb67529f37f2486bbf4fab7ef107575b755
MD5 hash:	2cc372097f710c7a6cbb8b4d7f99636e
humanhash:	william-two-finch-pasta
File name:	mymusic.exe
Download:	download sample
Signature	Chaos Create hunting rule
File size:	28'160 bytes
First seen:	2025-07-16 00:42:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'855 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep	384:PftWZPzzxAm1vp5ZRoDCFKW6pAnAQ56VlTOy5o91TJpu82vtJS:PW7zxAmpfyCz6pVQ5sho9fY82VJS
TLSH	T140C2B548B7FA4A36F6FF6F7869F251014736B952EC29D74E088D50890C32B8C8D60B67
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	nickkuechel
Tags:	Chaos exe Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

430

Origin country :

Vendor Threat Intelligence

Malware family:

ryuk

ID:

File name:

mymusic.exe

Verdict:

Malicious activity

Analysis date:

2025-07-13 13:42:15 UTC

Tags:

auto-reg ransomware auto-startup crypto-regex chaos ryuk

Link:

https://app.any.run/tasks/8bbf3117-bb5e-4426-a88f-2d7b93c8bb0c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Chaos

Link:

https://www.capesandbox.com/analysis/14715/

Detection(s):

Win.Ransomware.Hydracrypt-9878672-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6876f56a7854bfe261a3efc7

Tags:

ransomware dropper sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process from a recently created file

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Searching for synchronization primitives

Сreating synchronization primitives

Launching a service

Changing a file

Reading critical registry keys

Modifies multiple files

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% directory

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %AppData% directory

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Deleting volume shadow copies

Preventing system recovery

Blocking a possibility to launch for the Windows Task Manager (taskmgr)

Stealing user critical data

Creating a file in the mass storage device

Encrypting user's files

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-security azorult base64 chaos cmd filecoder hydracrypt lolbin ransomware reconnaissance veeam wmic

Link:

https://www.filescan.io/uploads/6876f5695076b202e43d93ec/reports/98c2fbb7-989e-4df6-86e2-778102ac1fe2/overview

Verdict:

Malicious

Labled as:

Ransom.Small.Generic

Link:

https://www.hybrid-analysis.com/sample/0a0f1e0ef771046285f78b7af20aac3384b521dbbf6bc69ca6d559cc15d9f97e

Malware family:

CHAOS Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/96f6745b-2958-4986-a1ac-eafae5e7db6b

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/0a0f1e0ef771046285f78b7af20aac3384b521dbbf6bc69ca6d559cc15d9f97e

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.01 Win 32 Exe x86

Link:

https://app.malva.re/file/2cc372097f710c7a6cbb8b4d7f99636e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a0f1e0ef771046285f78b7af20aac3384b521dbbf6bc69ca6d559cc15d9f97e/

Threat name:

ByteCode-MSIL.Ransomware.Small

Status:

Malicious

First seen:

2025-07-13 13:42:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

31 of 35 (88.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bihr4dxxoecgfbpxrn5pecvmgoclkio3x5v4nhfg2vm4yfoz7f7a._file

Verdict:

malicious

Label(s):

spectraransomware

Result

Malware family:

chaos

Score:

10/10

Tags:

family:chaos defense_evasion evasion execution impact persistence ransomware spyware stealer

Link:

https://tria.ge/reports/250716-a2yrys1vaw/

Behaviour

Checks SCSI registry key(s)

Interacts with shadow copies

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

Adds Run key to start application

Drops desktop.ini file(s)

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Deletes backup catalog

Disables Task Manager via registry modification

Deletes shadow copies

Modifies boot configuration data using bcdedit

Chaos

Chaos Ransomware

Chaos family

Verdict:

Malicious

Tags:

ransomware chaos Win.Ransomware.Hydracrypt-9878672-0

YARA:

Destructive_Ransomware_Gen1 MALWARE_Win_Chaos

Link:

https://app.threat.zone/submission/e389f0e9-86c0-4590-ab85-66c55d1661fd

Unpacked files

SH256 hash:

0a0f1e0ef771046285f78b7af20aac3384b521dbbf6bc69ca6d559cc15d9f97e

MD5 hash:

2cc372097f710c7a6cbb8b4d7f99636e

SHA1 hash:

f277abb67529f37f2486bbf4fab7ef107575b755

Link:

https://www.unpac.me/results/1c6f1936-ec33-4f53-9278-9f1248783cd5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0a0f1e0ef771046285f78b7af20aac3384b521dbbf6bc69ca6d559cc15d9f97e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Destructive_Ransomware_Gen1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects destructive malware
Reference:	http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Rule name:	Destructive_Ransomware_Gen1_RID31CB Create hunting rule
Author:	Florian Roth
Description:	Detects destructive malware
Reference:	http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	Detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICOUS_EXE_References_VEEAM Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing many references to VEEAM. Observed in ransomware

Rule name:	MALWARE_Win_Chaos Create hunting rule
Author:	ditekSHen
Description:	Detects Chaos ransomware

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/14715/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample