MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 202523606be3b79ee5b59b342404b0c4ec85df4182ceffd97d02fd02effdce89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 202523606be3b79ee5b59b342404b0c4ec85df4182ceffd97d02fd02effdce89
SHA3-384 hash: 7a9feb97161b6bc3d53b8b8fdbadfe8981de4f4d84e9843fc7c65c2dc07d2a7e84a5780dc1e0f1a201fd5b7c02688a31
SHA1 hash: 220dffcf2a4064f0b01900def851823fa6e9e539
MD5 hash: 4dd53a1b9a5bc8e1c327abfa7774e287
humanhash: uniform-papa-nitrogen-stream
File name:getrekt.exe
Download: download sample
Signature Chaos
Create hunting rule
File size:28'160 bytes
First seen:2024-11-15 18:52:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'859 x AgentTesla, 19'785 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 384:/FftWZPzzxAm1vp5ZRoDCFKW6pAnAQ5nelEOy5o91lDM5sp/82vG:/FW7zxAmpfyCz6pVQ5fho9kGR82+
Threatray 244 similar samples on MalwareBazaar
TLSH T15AC2B344BBFA5A36F6FF6F7869F250014735B952EC29D74E088D518A0C32B8CC960B67
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter juroots
Tags:Chaos exe Ransomware


Avatar
juroots
opendir, not available anymore

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
getrekt.exe
Verdict:
Malicious activity
Analysis date:
2024-11-15 18:48:59 UTC
Tags:
chaos ransomware crypto-regex
Link:
https://app.any.run/tasks/3f4de272-2d2d-4095-90da-aadbc8a91904

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Ransomware.Hydracrypt-9878672-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673798a66bc7caf979b2f13d
Tags:
ransomware dropper micro
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-security cmd lolbin ransomware veeam wmic
Link:
https://www.filescan.io/uploads/67379857be49ffce91d708f2/reports/8f2aa34c-2beb-41cc-814e-49d25aa1cc78/overview
Verdict:
Malicious
Labled as:
Ransom.Small.Generic
Link:
https://www.hybrid-analysis.com/sample/202523606be3b79ee5b59b342404b0c4ec85df4182ceffd97d02fd02effdce89
Malware family:
CHAOS Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/529650b4-b026-4d4a-85ba-b6c4ba78374f
Result
Threat name:
Chaos, Voidcrypt
Create hunting rule
Detection:
malicious
Classification:
rans.phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1556680
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Contains functionality to disable the Task Manager (.Net Source)
Deletes shadow drive data (may be related to ransomware)
Drops PE files with benign system names
Found ransom note / readme
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Overwrites Mozilla Firefox settings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Chaos Ransomware
Yara detected Voidcrypt Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1556680 Sample: getrekt.exe Startdate: 15/11/2024 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Found ransom note / readme 2->50 52 8 other signatures 2->52 7 getrekt.exe 5 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        15 2 other processes 2->15 process3 dnsIp4 34 C:\Users\user\AppData\Roaming\svchost.exe, PE32 7->34 dropped 62 Deletes shadow drive data (may be related to ransomware) 7->62 64 Drops PE files with benign system names 7->64 18 svchost.exe 1 1003 7->18         started        36 C:\Users\user\AppData\...\times.json.4an6, data 11->36 dropped 38 C:\Users\user\AppData\Roaming\...\read_it.txt, ASCII 11->38 dropped 40 C:\Users\user\AppData\...\xulstore.json.9bwx, data 11->40 dropped 42 7 other malicious files 11->42 dropped 66 Overwrites Mozilla Firefox settings 11->66 68 Tries to harvest and steal browser information (history, passwords, etc) 11->68 22 notepad.exe 11->22         started        44 127.0.0.1 unknown unknown 15->44 file5 signatures6 process7 file8 26 C:\Users\user\read_it.txt, ASCII 18->26 dropped 28 dYw9trBOUuy7sL9xTZGIliMEagg[1].css.rgsk, data 18->28 dropped 30 EYNLM9RfkEXFtD8WH1...jwzGA.br[1].js.ca9s, data 18->30 dropped 32 28 other malicious files 18->32 dropped 54 Multi AV Scanner detection for dropped file 18->54 56 Deletes shadow drive data (may be related to ransomware) 18->56 58 Writes a notice file (html or txt) to demand a ransom 18->58 60 3 other signatures 18->60 24 notepad.exe 18->24         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/202523606be3b79ee5b59b342404b0c4ec85df4182ceffd97d02fd02effdce89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/202523606be3b79ee5b59b342404b0c4ec85df4182ceffd97d02fd02effdce89/
Threat name:
ByteCode-MSIL.Ransomware.Small
Create hunting rule
Status:
Malicious
First seen:
2024-11-15 18:53:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eassgydl4o3z5znvtm2cibfqytwilx2bqlhp7wl5al6qf375z2eq._file
Verdict:
malicious
Label(s):
chaos
Create hunting rule
Similar samples:
202523606be3b79ee5b59b342404b0c4ec85df4182ceffd97d02fd02effdce89
Chaos
3e96709bb940d80b4ffe950fa589fff66fbf84eb752de49f115bc51c28e179f5
Chaos
6e7a64e8d70803263570dfd2eb3d05e9423cfe2c39a596e9109c4408325103f3
Chaos
7737fb5fa7440206dbbd7dbeb8222a2851caf6210005e37d6d5d765081940e9a
Chaos
9c7713c8cd8233686ea25551b426fef708636c7fc2eea2978a9333772aa3b527
Chaos
c20897e18974953c103ea9249a0857a11676fe4a9e6f3bbc59e037a1a7cd57e6
Chaos
ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c
Chaos
error
Chaos
+ 234 additional samples on MalwareBazaar
Result
Malware family:
chaos
Create hunting rule
Score:
  10/10
Tags:
family:chaos persistence ransomware spyware stealer
Link:
https://tria.ge/reports/241115-xh2qtsync1/
Behaviour
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Chaos
Chaos Ransomware
Chaos family
Verdict:
Malicious
Tags:
ransomware chaos Win.Ransomware.Hydracrypt-9878672-0
YARA:
MALWARE_Win_Chaos
Link:
https://app.threat.zone/submission/e91dbfd1-5b0f-43ce-9532-75e1a313423d
Unpacked files
SH256 hash:
202523606be3b79ee5b59b342404b0c4ec85df4182ceffd97d02fd02effdce89
MD5 hash:
4dd53a1b9a5bc8e1c327abfa7774e287
SHA1 hash:
220dffcf2a4064f0b01900def851823fa6e9e539
Link:
https://www.unpac.me/results/e2a6bd03-317f-49ce-ab2d-a794a4f1bba9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/202523606be3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/202523606be3b79ee5b59b342404b0c4ec85df4182ceffd97d02fd02effdce89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Destructive_Ransomware_Gen1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects destructive malware
Reference:http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Rule name:Destructive_Ransomware_Gen1_RID31CB
Create hunting rule
Author:Florian Roth
Description:Detects destructive malware
Reference:http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:Detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Author:ditekSHen
Description:Detects executables containing many references to VEEAM. Observed in ransomware
Rule name:MALWARE_Win_Chaos
Create hunting rule
Author:ditekSHen
Description:Detects Chaos ransomware
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/3f4de272-2d2d-4095-90da-aadbc8a91904
  
Delivery method
Multiple

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments