MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45b93dc9cc01909bc2277c0c98022af81ea88aeb0957e8e7fa9bd194bcb172e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45b93dc9cc01909bc2277c0c98022af81ea88aeb0957e8e7fa9bd194bcb172e4
SHA3-384 hash: cbfb8a493458e1efc2d288af59e083d37027739f791e93252dcc8fb50719cefc30c02747a560565c11ac60a610604096
SHA1 hash: a618620a2795af9dc27a0283910b0c79bf1714bc
MD5 hash: c54977e64b5f8156a9ddad0e2c34d798
humanhash: solar-texas-massachusetts-salami
File name:HEUR-Trojan-Ransom.MSIL.Agent.gen-45b93dc9cc01909bc2277c0c98022af81ea88aeb0957e8e7fa9bd194bcb172e4
Download: download sample
Signature Chaos
Create hunting rule
File size:80'384 bytes
First seen:2022-09-21 04:04:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:h3kI9n7+zir9SjFUlPTeEeLS43Pz7m26zhbETGiKZiIpq6e65Gn:h3km7+zir9SjFUlK5+433m28NEaiKMks
Threatray 2'583 similar samples on MalwareBazaar
TLSH T12A7360243AFF4019F3B3AF755FE4B5EE9A6EF6332A0A94692041034A4723E41DD91739
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter petikvx
Tags:Chaos exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
376
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Archlocker V4.exe
Verdict:
Malicious activity
Analysis date:
2021-08-05 19:04:50 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/1488c899-ddbb-4970-8f01-9ef696d6fdd2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311868/
Detection(s):
Win.Ransomware.Hydracrypt-9878672-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Changing a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a service
Launching a process
Unauthorized injection to a recently created process
Creating a file in the mass storage device
Deleting volume shadow copies
Preventing system recovery
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd.exe packed ransomware
Link:
https://www.filescan.io/uploads/632a8d89b333b2ec6b3c9cad/reports/3194bf21-809f-4c4f-81a8-5eb785b12d5a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CHAOS Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc2bd102-524a-4c68-992d-f95b9e890980
Result
Threat name:
Chaos, Cryptolocker, TrojanRansom
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074256
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Sigma detected: Drops script at startup location
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Yara detected Chaos Ransomware
Yara detected Cryptolocker ransomware
Yara detected TrojanRansom
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 706798 Sample: bcb172e4.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 9 other signatures 2->85 8 bcb172e4.exe 4 2->8         started        11 powershell.exe 2->11         started        14 wbuser.exe 3 2->14         started        16 3 other processes 2->16 process3 file4 73 C:\Users\user\AppData\...\powershell.exe, PE32 8->73 dropped 75 C:\Users\...\powershell.exe:Zone.Identifier, ASCII 8->75 dropped 77 C:\Users\user\AppData\...\bcb172e4.exe.log, ASCII 8->77 dropped 18 powershell.exe 3 51 8->18         started        103 Deletes shadow drive data (may be related to ransomware) 11->103 105 Uses bcdedit to modify the Windows boot settings 11->105 22 cmd.exe 11->22         started        24 cmd.exe 11->24         started        26 cmd.exe 11->26         started        28 notepad.exe 11->28         started        107 Creates files inside the volume driver (system volume information) 14->107 signatures5 process6 file7 65 C:\Users\user\Documents\read_me.txt, ASCII 18->65 dropped 67 C:\Users\user\Documents\...\read_me.txt, ASCII 18->67 dropped 69 C:\Users\user\Documents\...\read_me.txt, ASCII 18->69 dropped 71 8 other malicious files 18->71 dropped 87 Antivirus detection for dropped file 18->87 89 Multi AV Scanner detection for dropped file 18->89 91 Machine Learning detection for dropped file 18->91 93 Writes a notice file (html or txt) to demand a ransom 18->93 30 cmd.exe 1 18->30         started        33 cmd.exe 1 18->33         started        35 cmd.exe 1 18->35         started        37 notepad.exe 18->37         started        95 May disable shadow drive data (uses vssadmin) 22->95 97 Deletes shadow drive data (may be related to ransomware) 22->97 39 WMIC.exe 1 22->39         started        41 conhost.exe 22->41         started        43 vssadmin.exe 1 22->43         started        99 Uses bcdedit to modify the Windows boot settings 24->99 45 3 other processes 24->45 101 Deletes the backup plan of Windows 26->101 47 2 other processes 26->47 signatures8 process9 signatures10 109 May disable shadow drive data (uses vssadmin) 30->109 111 Deletes shadow drive data (may be related to ransomware) 30->111 113 Uses bcdedit to modify the Windows boot settings 30->113 49 WMIC.exe 1 30->49         started        51 conhost.exe 30->51         started        53 vssadmin.exe 1 30->53         started        55 bcdedit.exe 8 1 33->55         started        57 bcdedit.exe 7 1 33->57         started        59 conhost.exe 33->59         started        115 Deletes the backup plan of Windows 35->115 61 conhost.exe 35->61         started        63 wbadmin.exe 3 35->63         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45b93dc9cc01909bc2277c0c98022af81ea88aeb0957e8e7fa9bd194bcb172e4/
Threat name:
ByteCode-MSIL.Ransomware.FileCoder
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 16:08:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iw4t3somagijxqrhpqgjqark7apkrcxlbfl6rz72tpizjpfrolsa._file
Verdict:
malicious
Similar samples:
02cf1973b602797cce3fe7a5647eb7fd93ca84b6617984ce71eb2d7389fcb120
Chaos
14f2a593281d5c9700a878f32199aa69b18f10b2d3849d216764f96a3f8a00f9
Chaos
4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425
Chaos
47dca00b393f5db1a0842506125dda8ec426c699e22de2df32c95d65fb990893
Chaos
538da46bffb52cffd821cb51ebd76072b6775773df6113ac1e98edab0ca49a2a
Chaos
8befc91b605e2dd3ee8917f6e4b2ab943ec7900d257b704955c2defc0328b4d8
Chaos
d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c
Chaos
+ 2'573 additional samples on MalwareBazaar
Result
Malware family:
chaos
Create hunting rule
Score:
  10/10
Tags:
family:chaos evasion ransomware spyware stealer
Link:
https://tria.ge/reports/220921-enh7kaehg8/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Sets desktop wallpaper using registry
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Deletes backup catalog
Executes dropped EXE
Deletes shadow copies
Modifies boot configuration data using bcdedit
Chaos
Chaos Ransomware
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/37ad1204-483a-47e1-b264-b6a833089dab
Unpacked files
SH256 hash:
45b93dc9cc01909bc2277c0c98022af81ea88aeb0957e8e7fa9bd194bcb172e4
MD5 hash:
c54977e64b5f8156a9ddad0e2c34d798
SHA1 hash:
a618620a2795af9dc27a0283910b0c79bf1714bc
Link:
https://www.unpac.me/results/8f4f3d89-b679-4577-af8a-6a923ecdcbb1/
Parent samples :
a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09
af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/45b93dc9cc01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/45b93dc9cc01909bc2277c0c98022af81ea88aeb0957e8e7fa9bd194bcb172e4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311868/

Comments