MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b7e8bd165a390a8a54175875441ff0e575a693a4da94bc76a69ff5c20687b54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b7e8bd165a390a8a54175875441ff0e575a693a4da94bc76a69ff5c20687b54
SHA3-384 hash: bbd605e70c47b0977da77347402214538ab41fba4ba450ea174054a51dcea514b1f3ab76f8e30c8f75c22a0b501437cd
SHA1 hash: 84ed720f8a90a0c33454016a618c071f680c0dc1
MD5 hash: f5b62c5b6c334b0384ec26decc67ee1d
humanhash: september-west-early-sink
File name:________________ __________________.exe
Download: download sample
Signature Chaos
Create hunting rule
File size:328'456 bytes
First seen:2023-03-11 16:38:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (864 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 6144:S8JsLcpjzTDDmHayakLkrb4NSarQWw0TX5bgIbx:HzxzTDWikLSb4NS7R0TX5rx
Threatray 1'041 similar samples on MalwareBazaar
TLSH T1E864CF02FD8194B2C6720D315A29BB61693D7A200F14CEDFE3D44A6DEA351D0BB35BA7
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 60e4f4f86c64747c (1 x Chaos, 1 x PureCrypter)
Reporter petikvx
Tags:Chaos

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Информирование зарегистрированных.exe
Verdict:
Malicious activity
Analysis date:
2023-03-01 16:42:54 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/e362d590-95f1-466f-9bff-bc8a7751a86c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Chaos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/373578/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file
Moving a recently created file
Changing a file
Modifying an executable file
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Unauthorized injection to a recently created process
Creating a file in the mass storage device
Stealing user critical data
Enabling autorun by creating a file
Encrypting user's files
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72692/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult cmd.exe filecoder greyware hydracrypt overlay packed packed ransomware ransomx setupapi.dll shdocvw.dll shell32.dll sorry
Link:
https://www.filescan.io/uploads/640caea8578f63046fe2bb2b/reports/c2608763-8711-48b6-9bbb-ec6bb005d4d9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1b7e8bd165a390a8a54175875441ff0e575a693a4da94bc76a69ff5c20687b54
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CHAOS Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20eb4c0b-d763-4ae4-8119-94cfd486fc9d
Result
Threat name:
Chaos
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1191750
Signature
Antivirus detection for dropped file
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Drops PE files with benign system names
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Sigma detected: Drops script at startup location
Uses bcdedit to modify the Windows boot settings
Yara detected Chaos Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 824626 Sample: ___________________________... Startdate: 11/03/2023 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected Chaos Ransomware 2->84 86 5 other signatures 2->86 9 ___________________________________.exe 13 2->9         started        12 cmd.exe 2->12         started        15 cmd.exe 2->15         started        17 7 other processes 2->17 process3 file4 78 C:\Users\user\AppData\Local\...\gUBmQx.exe, PE32 9->78 dropped 19 gUBmQx.exe 3 9->19         started        114 May disable shadow drive data (uses vssadmin) 12->114 116 Deletes shadow drive data (may be related to ransomware) 12->116 23 conhost.exe 12->23         started        25 vssadmin.exe 12->25         started        27 WMIC.exe 12->27         started        118 Uses bcdedit to modify the Windows boot settings 15->118 29 conhost.exe 15->29         started        31 bcdedit.exe 15->31         started        33 bcdedit.exe 15->33         started        120 Creates files inside the volume driver (system volume information) 17->120 122 Deletes the backup plan of Windows 17->122 124 Injects files into Windows application 17->124 35 conhost.exe 17->35         started        37 wbadmin.exe 17->37         started        signatures5 process6 file7 68 C:\Users\user\AppData\Roaming\svchost.exe, PE32 19->68 dropped 88 Antivirus detection for dropped file 19->88 90 Multi AV Scanner detection for dropped file 19->90 92 Machine Learning detection for dropped file 19->92 94 Drops PE files with benign system names 19->94 39 svchost.exe 3 55 19->39         started        signatures8 process9 file10 70 __________________...___.exe.tvns (copy), ASCII 39->70 dropped 72 ___________________________________.exe, ASCII 39->72 dropped 74 C:\Users\user\Desktop\...\SNIPGPPREP.xlsx, ASCII 39->74 dropped 76 5 other malicious files 39->76 dropped 96 Multi AV Scanner detection for dropped file 39->96 98 Deletes shadow drive data (may be related to ransomware) 39->98 100 Uses bcdedit to modify the Windows boot settings 39->100 102 Modifies existing user documents (likely ransomware behavior) 39->102 43 cmd.exe 1 39->43         started        46 cmd.exe 1 39->46         started        48 cmd.exe 39->48         started        50 notepad.exe 39->50         started        signatures11 process12 signatures13 104 May disable shadow drive data (uses vssadmin) 43->104 106 Deletes shadow drive data (may be related to ransomware) 43->106 108 Uses bcdedit to modify the Windows boot settings 43->108 52 WMIC.exe 1 43->52         started        54 conhost.exe 43->54         started        56 vssadmin.exe 1 43->56         started        58 bcdedit.exe 8 1 46->58         started        60 bcdedit.exe 7 1 46->60         started        62 conhost.exe 46->62         started        110 Deletes the backup plan of Windows 48->110 64 conhost.exe 48->64         started        66 wbadmin.exe 48->66         started        112 Injects files into Windows application 50->112 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b7e8bd165a390a8a54175875441ff0e575a693a4da94bc76a69ff5c20687b54/
Threat name:
ByteCode-MSIL.Ransomware.FileCoder
Create hunting rule
Status:
Malicious
First seen:
2023-03-04 18:18:58 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
33 of 39 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dn7ixulfuoikrjkbowdviqp7bzlvu2j2jwuuxr3knh7vyidipnka._file
Verdict:
malicious
Similar samples:
058a8bec8f58c3fc1d7b530d83499db343896d146b4b01c1da452a159ab1a90a
Chaos
2e1ee2e824021c57e3c6a1dd63845e79ce78307e8c5192b6ead55e214133dd12
Chaos
6e3f1055521e01bd967f22fd68b48410342264b62cf7b7998a6686a2141d4d67
Chaos
7387dda5e2f645e2bdb9c2b366b4917a52a0535800580deb50f28e6790418ec9
Chaos
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2
Chaos
840cf44c6fe52b883a3ebb5cbdd0a3705ffb661109265fbf68a1330266fd6cc6
Chaos
915a29734bf7d770c4a2bf259b29f06f56338577659aa64d09fc8b91dedeb51b
Chaos
e109085dfb0d7cae33a447c6bbb73ad8b8a20fe06e7f3e06b0e90ac912949428
Chaos
+ 1'031 additional samples on MalwareBazaar
Result
Malware family:
chaos
Create hunting rule
Score:
  10/10
Tags:
family:chaos evasion ransomware spyware stealer
Link:
https://tria.ge/reports/230311-t5yqxacc7w/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Sets desktop wallpaper using registry
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Deletes backup catalog
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Chaos
Chaos Ransomware
Unpacked files
SH256 hash:
1b7e8bd165a390a8a54175875441ff0e575a693a4da94bc76a69ff5c20687b54
MD5 hash:
f5b62c5b6c334b0384ec26decc67ee1d
SHA1 hash:
84ed720f8a90a0c33454016a618c071f680c0dc1
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/27252da6-5fef-4148-a4d8-f9aa00dbcc4b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b7e8bd165a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b7e8bd165a390a8a54175875441ff0e575a693a4da94bc76a69ff5c20687b54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:win_xorist_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xorist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373578/

Comments