MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f00731846286fee5a6fca51ebdee6825454eb3a6fec5467b8bf12e7263d9b6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Chaos

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	9f00731846286fee5a6fca51ebdee6825454eb3a6fec5467b8bf12e7263d9b6c
SHA3-384 hash:	921a066e4154d0710b3f246819450389b27706a5e8b54ec0498e7f0b2c0f12b20dbb8d3f7030113e478f34249d64dd6c
SHA1 hash:	131f6467afa1c14d7d884e69128570473100b018
MD5 hash:	7e48410ace9b417500edd359bbf4683a
humanhash:	bulldog-zulu-idaho-california
File name:	2023-03-01_7e48410ace9b417500edd359bbf4683a_destroyer_wannacry
Download:	download sample
Signature	Chaos Create hunting rule
File size:	28'160 bytes
First seen:	2023-03-05 08:03:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'859 x AgentTesla, 19'785 x Formbook, 12'305 x SnakeKeylogger)
ssdeep	384:+tWZPzzxAm1vp5Z+HxbEWx0OeuBbdcluiOy5o91WnZBq5982vi:j7zxAmpwb70Oeu1who94nPqj82q
Threatray	147 similar samples on MalwareBazaar
TLSH	T110C2B44477FA4636F6FF6F7869B251014B36B956DC29E74D088E11890C32B8CCDA0B6B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	petikvx
Tags:	Chaos

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2023-03-01_7e48410ace9b417500edd359bbf4683a_destroyer_wannacry

Verdict:

Malicious activity

Analysis date:

2023-03-05 08:05:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6014e373-bdc0-4a77-a307-466f640a9e41

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Chaos

Link:

https://www.capesandbox.com/analysis/371691/

Detection(s):

Win.Ransomware.Hydracrypt-9878672-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Searching for the window

Changing a file

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Encrypting user's files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe packed ransomware

Link:

https://www.filescan.io/uploads/64044cfaf110781a3903a18b/reports/80f344e1-4a2c-41a5-b3db-4823862a2090/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9f00731846286fee5a6fca51ebdee6825454eb3a6fec5467b8bf12e7263d9b6c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a9ef8eda-2ea3-4536-8352-5e5f053db8bb

Result

Threat name:

Chaos, Conti, Voidcrypt

Detection:

malicious

Classification:

rans

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1187313

Signature

Antivirus / Scanner detection for submitted sample

Deletes shadow drive data (may be related to ransomware)

Drops PE files with benign system names

Found ransom note / readme

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Yara detected Chaos Ransomware

Yara detected Conti ransomware

Yara detected Voidcrypt Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f00731846286fee5a6fca51ebdee6825454eb3a6fec5467b8bf12e7263d9b6c/

Threat name:

ByteCode-MSIL.Ransomware.FileCoder

Status:

Malicious

First seen:

2023-03-01 22:40:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

32 of 39 (82.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t4ahggcgfbx64wtpzji6xxxgqjkfj2z2n7wfiz5yx4joojr5tnwa._file

Verdict:

malicious

Chaos

649d0574000b38f08e0c76018f8e4267a5e9c22a714b9c4138838ba91ef94b92

Chaos

6caaa5d65e3143c125dfaded69bd9c4ba7b6e0594c2328ed3de0c7bcabe0ed2f

Chaos

7e8dcb5774663532ad7100c5a702c3deb32a1bd6eeacba1a1145adec6c88ae03

Chaos

9b0cfabed9fbf6b05c74e5a31eb500fea0691c84fa736dd25e8e5013a35f038e

Chaos

c1aa3e51afee0bd1358018badcb31484d0c4d743281b350fee18ef4bf102891f

Chaos

f186e55feac04f6c0477e8a6c60527ac4a95c8659727b464875e8717c86ac60a

Chaos

+ 137 additional samples on MalwareBazaar

Result

Malware family:

chaos

Score:

10/10

Tags:

family:chaos persistence ransomware spyware stealer

Link:

https://tria.ge/reports/230305-jx94vsga77/

Behaviour

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Drops desktop.ini file(s)

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Modifies extensions of user files

Chaos

Chaos Ransomware

Unpacked files

SH256 hash:

9f00731846286fee5a6fca51ebdee6825454eb3a6fec5467b8bf12e7263d9b6c

MD5 hash:

7e48410ace9b417500edd359bbf4683a

SHA1 hash:

131f6467afa1c14d7d884e69128570473100b018

Link:

https://www.unpac.me/results/6bf5ca0b-3feb-48aa-be7e-ac2368c00f02/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9f0073184628/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/9f00731846286fee5a6fca51ebdee6825454eb3a6fec5467b8bf12e7263d9b6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Destructive_Ransomware_Gen1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects destructive malware
Reference:	http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Rule name:	Destructive_Ransomware_Gen1_RID31CB Create hunting rule
Author:	Florian Roth
Description:	Detects destructive malware
Reference:	http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICOUS_EXE_References_VEEAM Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing many references to VEEAM. Observed in ransomware

Rule name:	MALWARE_Win_Chaos Create hunting rule
Author:	ditekSHen
Description:	Detects Chaos ransomware

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/371691/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample