MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e598e4c17cfc92223c05bab3dc60f0b6325501e58ef34090e635557f29eef44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e598e4c17cfc92223c05bab3dc60f0b6325501e58ef34090e635557f29eef44
SHA3-384 hash: ead58a0552a43b419fceda282975c8738b3ed80f34eb7ea09331bddbcacc6e53077edbc130879009c325fc9d2be1a215
SHA1 hash: bf62ceedb090e892bcd4df0f6afba562efa934c9
MD5 hash: f4f13a5e6735a9d891a242e8d2f5c57e
humanhash: summer-vermont-mango-oscar
File name:7e598e4c17cfc92223c05bab3dc60f0b6325501e58ef34090e635557f29eef44
Download: download sample
Signature Chaos
Create hunting rule
File size:8'249'856 bytes
First seen:2022-10-04 09:53:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep 49152:35gxSk3Ro5Zrb/TzvO90d7HjmAFd4A64nsfJcUMgXKRQHfDQqz1hHsG0fX+flZ0G:i3IL8NM9fXO0A
Threatray 265 similar samples on MalwareBazaar
TLSH T17C86CFB979047CE6D5AE4377CEA6A8D8237139228F9766CB5064B7D309733E0EE32504
gimphash 96be8a11bd4ebd4118e9ab251061a0fabf128593f29c7cacfa55479d4d8626f4
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter petikvx
Tags:Chaos exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
554
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Chaos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/316423/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a file
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a service
Launching a process
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Preventing system recovery
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41040/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
golang packed
Link:
https://www.filescan.io/uploads/633c02c55c60ccc9fcff2f2a/reports/155263d6-6e68-4664-b64e-ed7c83356bcf/overview
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/708ebc4b-1aa9-4914-a5c5-24bc994dadc3
Result
Threat name:
Chaos
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083113
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Contains functionality to disable the Task Manager (.Net Source)
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Disables the Windows task manager (taskmgr)
Drops PE files with benign system names
Found ransom note / readme
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sigma detected: Delete shadow copy via WMIC
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Chaos Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715670 Sample: LgJhBnEvHX.exe Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 103 Malicious sample detected (through community Yara rule) 2->103 105 Multi AV Scanner detection for dropped file 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 6 other signatures 2->109 10 LgJhBnEvHX.exe 2 2->10         started        13 svchost.exe 2->13         started        16 wbengine.exe 2->16         started        18 5 other processes 2->18 process3 file4 93 C:\Users\user\...\go-memexec-2926600055.exe, PE32+ 10->93 dropped 20 go-memexec-2926600055.exe 3 10->20         started        24 conhost.exe 10->24         started        141 Deletes shadow drive data (may be related to ransomware) 13->141 143 Uses bcdedit to modify the Windows boot settings 13->143 145 Tries to harvest and steal browser information (history, passwords, etc) 13->145 147 Modifies existing user documents (likely ransomware behavior) 13->147 26 cmd.exe 13->26         started        28 cmd.exe 13->28         started        30 cmd.exe 13->30         started        149 Creates files inside the volume driver (system volume information) 16->149 signatures5 process6 file7 81 C:\Users\user\Desktop\svchost.exe, PE32+ 20->81 dropped 83 C:\Users\user\...\go-memexec-822725114.exe, PE32 20->83 dropped 111 Multi AV Scanner detection for dropped file 20->111 113 Drops PE files with benign system names 20->113 115 Potentially malicious time measurement code found 20->115 32 go-memexec-822725114.exe 5 20->32         started        117 May disable shadow drive data (uses vssadmin) 26->117 119 Deletes shadow drive data (may be related to ransomware) 26->119 36 conhost.exe 26->36         started        38 vssadmin.exe 26->38         started        40 WMIC.exe 26->40         started        121 Uses bcdedit to modify the Windows boot settings 28->121 42 conhost.exe 28->42         started        44 bcdedit.exe 28->44         started        46 bcdedit.exe 28->46         started        123 Deletes the backup plan of Windows 30->123 48 conhost.exe 30->48         started        50 wbadmin.exe 30->50         started        signatures8 process9 file10 79 C:\Users\user\AppData\Roaming\svchost.exe, PE32 32->79 dropped 95 Antivirus detection for dropped file 32->95 97 Multi AV Scanner detection for dropped file 32->97 99 Machine Learning detection for dropped file 32->99 101 Drops PE files with benign system names 32->101 52 svchost.exe 2 502 32->52         started        signatures11 process12 file13 85 C:\Users\user\read_it.txt, ASCII 52->85 dropped 87 C:\Users\user\AppData\Roaming\...\read_it.txt, ASCII 52->87 dropped 89 C:\...\CachedImage_1280_1024_POS4.jpg.qype, data 52->89 dropped 91 28 other malicious files 52->91 dropped 125 Multi AV Scanner detection for dropped file 52->125 127 Deletes shadow drive data (may be related to ransomware) 52->127 129 Writes a notice file (html or txt) to demand a ransom 52->129 131 3 other signatures 52->131 56 cmd.exe 1 52->56         started        59 cmd.exe 1 52->59         started        61 cmd.exe 52->61         started        signatures14 process15 signatures16 133 May disable shadow drive data (uses vssadmin) 56->133 135 Deletes shadow drive data (may be related to ransomware) 56->135 137 Uses bcdedit to modify the Windows boot settings 56->137 63 WMIC.exe 1 56->63         started        65 conhost.exe 56->65         started        67 vssadmin.exe 1 56->67         started        69 bcdedit.exe 8 1 59->69         started        71 conhost.exe 59->71         started        73 bcdedit.exe 59->73         started        139 Deletes the backup plan of Windows 61->139 75 conhost.exe 61->75         started        77 wbadmin.exe 61->77         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e598e4c17cfc92223c05bab3dc60f0b6325501e58ef34090e635557f29eef44/
Threat name:
Win64.Hacktool.Ekocit
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 21:58:07 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pzmy4taxz7esei6alovt3rqpbnrskua6ldxticiomnkvp4u655ca._file
Verdict:
malicious
Similar samples:
22a2d7af185892d400b7b98c62dedaf8ff9bfdf65fcc7c6c20d4ca102452db6d
Chaos
2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f
Chaos
6d0429bb3533ea8cd3b10d207ec5505ac0d38692f7f4cd1375db7cd1aba0be6e
Chaos
c6f0810b4ca4c2e70a07eddcbd14459e875deced05f5619dfd4df6f49a2130a9
Chaos
cdc9f6db38735ea160b075611a5ff62fdfe572f543a59f5170856e067fbf5112
Chaos
fcd01c9fed690b2bad435c5bab5925cc1132c4c622f18af09d437f9e4957b84b
Chaos
+ 255 additional samples on MalwareBazaar
Result
Malware family:
chaos
Create hunting rule
Score:
  10/10
Tags:
family:chaos evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/221004-lw7y8aaeb7/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Deletes backup catalog
Disables Task Manager via registry modification
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Chaos
Chaos Ransomware
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d63040e5-486e-4e41-8ce9-1ed4db658a07
Unpacked files
SH256 hash:
7e598e4c17cfc92223c05bab3dc60f0b6325501e58ef34090e635557f29eef44
MD5 hash:
f4f13a5e6735a9d891a242e8d2f5c57e
SHA1 hash:
bf62ceedb090e892bcd4df0f6afba562efa934c9
Link:
https://www.unpac.me/results/f88512f6-d063-48c5-8de7-9961b407f8ee/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e598e4c17cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/7e598e4c17cfc92223c05bab3dc60f0b6325501e58ef34090e635557f29eef44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316423/

Comments