MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6caaa5d65e3143c125dfaded69bd9c4ba7b6e0594c2328ed3de0c7bcabe0ed2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6caaa5d65e3143c125dfaded69bd9c4ba7b6e0594c2328ed3de0c7bcabe0ed2f
SHA3-384 hash: a134d9bb424d68af6ec76291613658762b2f9c5eeec6efc32e8f7a27e5b0506141e1cd4e1bb50f3a7b24932d4909e1b6
SHA1 hash: 12687458b19ec21ba567ac2bc974434a55855b64
MD5 hash: b89623caba31b7994735f4f5bf437fcd
humanhash: hamper-river-alanine-dakota
File name:6caaa5d65e3143c125dfaded69bd9c4ba7b6e0594c2328ed3de0c7bcabe0ed2f
Download: download sample
Signature Chaos
Create hunting rule
File size:204'288 bytes
First seen:2022-12-18 15:12:00 UTC
Last seen:2022-12-19 09:25:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'859 x AgentTesla, 19'785 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 3072:fBZmq9ePWNIG+9tv+9q9tBFKfpYnmig3/Vl0hpVervREDLUYwExij:fBZmq9ju3HFKDi3pOeLb
Threatray 3'586 similar samples on MalwareBazaar
TLSH T1E914F12429FA501EF3B3AE7A4BE475DAD57EF6722707546930A103860623D42DDC2B3B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 71e0e8d04ce8f071 (3 x Chaos)
Reporter petikvx
Tags:Chaos exe Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
497
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6caaa5d65e3143c125dfaded69bd9c4ba7b6e0594c2328ed3de0c7bcabe0ed2f
Verdict:
Malicious activity
Analysis date:
2022-12-18 15:14:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/914cfb8f-8d4a-4dde-baf4-ce6c026bcf37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Chaos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/347646/
Detection(s):
Win.Ransomware.Hydracrypt-9878672-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a service
Launching a process
Searching for synchronization primitives
Changing a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Preventing system recovery
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
cmd.exe packed
Link:
https://www.filescan.io/uploads/639f2dc49064146f713469aa/reports/3860dd13-a490-4796-aa81-a88011be4468/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b897308e-2696-4039-bb22-6c6f3c93c37a
Result
Threat name:
Chaos
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1136647
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to disable the Task Manager (.Net Source)
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Disables the Windows task manager (taskmgr)
Drops PE files with benign system names
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Delete shadow copy via WMIC
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Writes many files with high entropy
Yara detected Chaos Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 769377 Sample: yGYlwTScr7.exe Startdate: 18/12/2022 Architecture: WINDOWS Score: 100 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 6 other signatures 2->94 8 yGYlwTScr7.exe 5 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 13 other processes 2->16 process3 file4 76 C:\Users\user\AppData\Roaming\svchost.exe, PE32 8->76 dropped 114 Drops PE files with benign system names 8->114 18 svchost.exe 2 502 8->18         started        78 C:\...\CachedImage_1280_1024_POS4.jpg.dzp2, data 12->78 dropped 116 Deletes shadow drive data (may be related to ransomware) 12->116 118 Uses bcdedit to modify the Windows boot settings 12->118 120 Tries to harvest and steal browser information (history, passwords, etc) 12->120 122 Modifies existing user documents (likely ransomware behavior) 12->122 22 cmd.exe 12->22         started        24 cmd.exe 12->24         started        26 cmd.exe 12->26         started        28 notepad.exe 12->28         started        124 Changes security center settings (notifications, updates, antivirus, firewall) 14->124 30 MpCmdRun.exe 14->30         started        126 Query firmware table information (likely to detect VMs) 16->126 signatures5 process6 file7 68 C:\...\Built-In Building Blocks.dotx.yqup, data 18->68 dropped 70 C:\Users\user\AppData\...\TURABIAN.XSL.bhq2, data 18->70 dropped 72 C:\Users\user\AppData\...\SIST02.XSL.6qaq, data 18->72 dropped 74 36 other malicious files 18->74 dropped 96 Multi AV Scanner detection for dropped file 18->96 98 Creates files inside the volume driver (system volume information) 18->98 100 Deletes shadow drive data (may be related to ransomware) 18->100 108 3 other signatures 18->108 32 cmd.exe 1 18->32         started        35 cmd.exe 1 18->35         started        37 cmd.exe 18->37         started        102 May disable shadow drive data (uses vssadmin) 22->102 39 conhost.exe 22->39         started        41 vssadmin.exe 22->41         started        43 WMIC.exe 22->43         started        104 Uses bcdedit to modify the Windows boot settings 24->104 47 3 other processes 24->47 106 Deletes the backup plan of Windows 26->106 49 2 other processes 26->49 45 conhost.exe 30->45         started        signatures8 process9 signatures10 80 May disable shadow drive data (uses vssadmin) 32->80 82 Deletes shadow drive data (may be related to ransomware) 32->82 84 Uses bcdedit to modify the Windows boot settings 32->84 51 vssadmin.exe 1 32->51         started        54 WMIC.exe 1 32->54         started        56 conhost.exe 32->56         started        58 conhost.exe 35->58         started        60 bcdedit.exe 35->60         started        62 bcdedit.exe 35->62         started        86 Deletes the backup plan of Windows 37->86 64 conhost.exe 37->64         started        66 wbadmin.exe 37->66         started        process11 signatures12 110 Deletes shadow drive data (may be related to ransomware) 51->110 112 Uses bcdedit to modify the Windows boot settings 51->112
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6caaa5d65e3143c125dfaded69bd9c4ba7b6e0594c2328ed3de0c7bcabe0ed2f/
Threat name:
ByteCode-MSIL.Ransomware.FileCoder
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 13:39:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nsvklvs6gfb4cjo7vxwwtpm4jot3nyczjqrsr3j54dd3zk7a5uxq._file
Verdict:
malicious
Similar samples:
1fa7c0030e8a0f71b80e37ba97408d1b3131d0c2ba4f4f50ece88d96fe175ac6
Chaos
649d0574000b38f08e0c76018f8e4267a5e9c22a714b9c4138838ba91ef94b92
Chaos
6b8e57d157a7d0567aa89b96bfedc463c1b46b6c2536dcdcd57a24c84cc45d3b
Chaos
7e598e4c17cfc92223c05bab3dc60f0b6325501e58ef34090e635557f29eef44
Chaos
93a4d36a6e6ae87c790522b78f581e871cfec793e301c54e7a596c9561f9313c
Chaos
aa503ddb166aff5790a44dc1cf64840fb7251d2b509f7b3eeb072f59b5cc7aeb
Chaos
d2238bcff8d4ff94256c8df702a31182763fa55325040cd484bc9abae2e69c5a
Chaos
+ 3'576 additional samples on MalwareBazaar
Result
Malware family:
chaos
Create hunting rule
Score:
  10/10
Tags:
family:chaos evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/221218-sk6qcace58/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Deletes backup catalog
Disables Task Manager via registry modification
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Chaos
Chaos Ransomware
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d9b14fe9-7f0f-4367-a88e-d61f218b8107
Unpacked files
SH256 hash:
6caaa5d65e3143c125dfaded69bd9c4ba7b6e0594c2328ed3de0c7bcabe0ed2f
MD5 hash:
b89623caba31b7994735f4f5bf437fcd
SHA1 hash:
12687458b19ec21ba567ac2bc974434a55855b64
Link:
https://www.unpac.me/results/7cf2e5d5-aba2-4885-ae38-5ddb0ecaadea/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6caaa5d65e31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6caaa5d65e3143c125dfaded69bd9c4ba7b6e0594c2328ed3de0c7bcabe0ed2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Author:ditekSHen
Description:Detects executables containing many references to VEEAM. Observed in ransomware
Rule name:MALWARE_Win_Chaos
Create hunting rule
Author:ditekSHen
Description:Detects Chaos ransomware
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/347646/

Comments