MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fa7c0030e8a0f71b80e37ba97408d1b3131d0c2ba4f4f50ece88d96fe175ac6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fa7c0030e8a0f71b80e37ba97408d1b3131d0c2ba4f4f50ece88d96fe175ac6
SHA3-384 hash: 60b72ef54e6028474a021f5e0b382fb2b19ad80a269c751e4fd5b98819825028ba8182e7b45a26ab62e941b9ec26cdc8
SHA1 hash: 8407263b522d54df4769f016ed6eff825a84e51b
MD5 hash: edaaba5a17d662d9565e57550a1e37c5
humanhash: maine-lion-wisconsin-jig
File name:1fa7c0030e8a0f71b80e37ba97408d1b3131d0c2ba4f4f50ece88d96fe175ac6
Download: download sample
Signature Chaos
Create hunting rule
File size:2'117'120 bytes
First seen:2022-10-04 09:53:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 36 x Vidar)
ssdeep 49152:PQ/UI0/23SQQGErb/TJvO90d7HjmAFd4A64nsfJkfvBYgXKRQHfDp5z1:PY3S0gS8
Threatray 2'737 similar samples on MalwareBazaar
TLSH T192A56B47B88094BAC0AE92328A66D2D17B317C950F3163D73A50B7FA1E737E4AE75314
gimphash 96be8a11bd4ebd4118e9ab251061a0fabf128593f29c7cacfa55479d4d8626f4
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter petikvx
Tags:Chaos exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
527
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316421/
Detection(s):
Win.Malware.Wingo-9966132-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a file
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a service
Launching a process
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Changing a file
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Preventing system recovery
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Stealing user critical data
Encrypting user's files
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41038/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
golang greyware
Link:
https://www.filescan.io/uploads/633c02c149c58ce767c5efd7/reports/1a01fdc4-9570-4f07-b819-d64ad514930a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf25cebe-37cb-43ff-b9bb-f8bde6b8a880
Result
Threat name:
Chaos
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083116
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to disable the Task Manager (.Net Source)
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Disables the Windows task manager (taskmgr)
Drops PE files with benign system names
Found ransom note / readme
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: Delete shadow copy via WMIC
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Yara detected Chaos Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715675 Sample: cIXgqhVfzV.exe Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for dropped file 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 8 other signatures 2->96 9 cIXgqhVfzV.exe 3 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 13 other processes 2->17 process3 file4 86 C:\Users\user\Desktop\svchost.exe, PE32 9->86 dropped 88 C:\Users\user\...\go-memexec-4149363123.exe, PE32 9->88 dropped 130 Drops PE files with benign system names 9->130 132 Potentially malicious time measurement code found 9->132 19 go-memexec-4149363123.exe 5 9->19         started        23 conhost.exe 9->23         started        134 Deletes shadow drive data (may be related to ransomware) 13->134 136 Uses bcdedit to modify the Windows boot settings 13->136 138 Tries to harvest and steal browser information (history, passwords, etc) 13->138 140 Modifies existing user documents (likely ransomware behavior) 13->140 25 cmd.exe 13->25         started        27 cmd.exe 13->27         started        29 cmd.exe 13->29         started        142 Changes security center settings (notifications, updates, antivirus, firewall) 15->142 31 MpCmdRun.exe 15->31         started        144 Creates files inside the volume driver (system volume information) 17->144 146 Query firmware table information (likely to detect VMs) 17->146 signatures5 process6 file7 84 C:\Users\user\AppData\Roaming\svchost.exe, PE32 19->84 dropped 106 Antivirus detection for dropped file 19->106 108 Multi AV Scanner detection for dropped file 19->108 110 Machine Learning detection for dropped file 19->110 112 Drops PE files with benign system names 19->112 33 svchost.exe 2 502 19->33         started        114 May disable shadow drive data (uses vssadmin) 25->114 116 Deletes shadow drive data (may be related to ransomware) 25->116 37 conhost.exe 25->37         started        39 vssadmin.exe 25->39         started        41 WMIC.exe 25->41         started        118 Uses bcdedit to modify the Windows boot settings 27->118 43 conhost.exe 27->43         started        45 bcdedit.exe 27->45         started        47 bcdedit.exe 27->47         started        120 Deletes the backup plan of Windows 29->120 51 2 other processes 29->51 49 conhost.exe 31->49         started        signatures8 process9 file10 76 C:\Users\user\read_it.txt, ASCII 33->76 dropped 78 C:\Users\user\AppData\Local\...\read_it.txt, ASCII 33->78 dropped 80 C:\Users\user\AppData\Local\...\read_it.txt, ASCII 33->80 dropped 82 7 other malicious files 33->82 dropped 98 Antivirus detection for dropped file 33->98 100 Multi AV Scanner detection for dropped file 33->100 102 Machine Learning detection for dropped file 33->102 104 5 other signatures 33->104 53 cmd.exe 1 33->53         started        56 cmd.exe 1 33->56         started        58 cmd.exe 33->58         started        signatures11 process12 signatures13 122 May disable shadow drive data (uses vssadmin) 53->122 124 Deletes shadow drive data (may be related to ransomware) 53->124 126 Uses bcdedit to modify the Windows boot settings 53->126 60 WMIC.exe 1 53->60         started        62 conhost.exe 53->62         started        64 vssadmin.exe 1 53->64         started        66 conhost.exe 56->66         started        68 bcdedit.exe 56->68         started        70 bcdedit.exe 56->70         started        128 Deletes the backup plan of Windows 58->128 72 conhost.exe 58->72         started        74 wbadmin.exe 58->74         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1fa7c0030e8a0f71b80e37ba97408d1b3131d0c2ba4f4f50ece88d96fe175ac6/
Threat name:
Win64.Ransomware.Chaos
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 21:42:04 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6t4aayorihxdoaog65joqendmytdugcxjhu6uhm5cgzn7qxllda._file
Verdict:
malicious
Similar samples:
22a2d7af185892d400b7b98c62dedaf8ff9bfdf65fcc7c6c20d4ca102452db6d
Chaos
2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f
Chaos
6d0429bb3533ea8cd3b10d207ec5505ac0d38692f7f4cd1375db7cd1aba0be6e
Chaos
7e598e4c17cfc92223c05bab3dc60f0b6325501e58ef34090e635557f29eef44
Chaos
aa503ddb166aff5790a44dc1cf64840fb7251d2b509f7b3eeb072f59b5cc7aeb
Chaos
c6f0810b4ca4c2e70a07eddcbd14459e875deced05f5619dfd4df6f49a2130a9
Chaos
+ 2'727 additional samples on MalwareBazaar
Result
Malware family:
chaos
Create hunting rule
Score:
  10/10
Tags:
family:chaos evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/221004-lw7nfsaeb6/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Deletes backup catalog
Disables Task Manager via registry modification
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Chaos
Chaos Ransomware
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b310bd49-d90b-47ef-a89c-1b5f2ca9a34f
Unpacked files
SH256 hash:
1fa7c0030e8a0f71b80e37ba97408d1b3131d0c2ba4f4f50ece88d96fe175ac6
MD5 hash:
edaaba5a17d662d9565e57550a1e37c5
SHA1 hash:
8407263b522d54df4769f016ed6eff825a84e51b
Link:
https://www.unpac.me/results/eba8f827-41d7-4790-85d4-dabc16864f38/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1fa7c0030e8a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/1fa7c0030e8a0f71b80e37ba97408d1b3131d0c2ba4f4f50ece88d96fe175ac6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316421/

Comments