MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa503ddb166aff5790a44dc1cf64840fb7251d2b509f7b3eeb072f59b5cc7aeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa503ddb166aff5790a44dc1cf64840fb7251d2b509f7b3eeb072f59b5cc7aeb
SHA3-384 hash: bf666662b1eeb1b75cbfc0270d0a70b908e2e1bd50ec8c9854aaffba0f70dd03dea8d5ad935affd7dc6dded31de46680
SHA1 hash: 1549520335fac63de592a3cd6e28f8a8e7386690
MD5 hash: 905fb6726a853b68c6d5d45f5b1bd0d5
humanhash: six-neptune-cup-king
File name:aa503ddb166aff5790a44dc1cf64840fb7251d2b509f7b3eeb072f59b5cc7aeb
Download: download sample
Signature Chaos
Create hunting rule
File size:2'898'432 bytes
First seen:2022-10-04 09:53:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 37 x Vidar)
ssdeep 49152:cQ/UI0/c3SHvGErb/TJvO90d7HjmAFd4A64nsfJkPsR5gXKRQHfD2cz1Mgkd0yxV:ce3SO918o9OyxBlZj0A
Threatray 2'733 similar samples on MalwareBazaar
TLSH T103D59C07BC9464B6C9AE92328AB692D17731BC890F2177C73A14B6FA2E733D05E35354
gimphash 96be8a11bd4ebd4118e9ab251061a0fabf128593f29c7cacfa55479d4d8626f4
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter petikvx
Tags:Chaos exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
523
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Chaos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/316422/
Detection(s):
Win.Malware.Wingo-9966132-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a file
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a service
Launching a process
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Preventing system recovery
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41039/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
golang greyware packed
Link:
https://www.filescan.io/uploads/633c02c3d089a0c15dd4fdcf/reports/f882d656-5e5d-4c8e-9eea-2f63e14fd9e5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee84cedf-ca9d-4089-927b-8513e809bcaf
Result
Threat name:
Chaos
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083115
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Contains functionality to disable the Task Manager (.Net Source)
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Disables the Windows task manager (taskmgr)
Drops PE files with benign system names
Found ransom note / readme
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sigma detected: Delete shadow copy via WMIC
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Chaos Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715674 Sample: psxr22u03e.exe Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 92 Malicious sample detected (through community Yara rule) 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Found ransom note / readme 2->96 98 5 other signatures 2->98 9 psxr22u03e.exe 3 2->9         started        13 svchost.exe 2->13         started        15 wbengine.exe 2->15         started        17 5 other processes 2->17 process3 file4 86 C:\Users\user\Desktop\svchost.exe, PE32 9->86 dropped 88 C:\Users\user\...\go-memexec-3760759512.exe, PE32 9->88 dropped 132 Drops PE files with benign system names 9->132 134 Potentially malicious time measurement code found 9->134 19 go-memexec-3760759512.exe 5 9->19         started        23 conhost.exe 9->23         started        90 C:\...\CachedImage_1280_1024_POS4.jpg.1qbd, data 13->90 dropped 136 Deletes shadow drive data (may be related to ransomware) 13->136 138 Uses bcdedit to modify the Windows boot settings 13->138 140 Tries to harvest and steal browser information (history, passwords, etc) 13->140 142 Modifies existing user documents (likely ransomware behavior) 13->142 25 cmd.exe 13->25         started        27 cmd.exe 13->27         started        29 cmd.exe 13->29         started        31 notepad.exe 13->31         started        144 Creates files inside the volume driver (system volume information) 15->144 signatures5 process6 file7 84 C:\Users\user\AppData\Roaming\svchost.exe, PE32 19->84 dropped 108 Antivirus detection for dropped file 19->108 110 Multi AV Scanner detection for dropped file 19->110 112 Machine Learning detection for dropped file 19->112 114 Drops PE files with benign system names 19->114 33 svchost.exe 2 502 19->33         started        116 May disable shadow drive data (uses vssadmin) 25->116 118 Deletes shadow drive data (may be related to ransomware) 25->118 37 conhost.exe 25->37         started        39 vssadmin.exe 25->39         started        41 WMIC.exe 25->41         started        120 Uses bcdedit to modify the Windows boot settings 27->120 43 conhost.exe 27->43         started        45 bcdedit.exe 27->45         started        47 bcdedit.exe 27->47         started        122 Deletes the backup plan of Windows 29->122 49 conhost.exe 29->49         started        51 wbadmin.exe 29->51         started        signatures8 process9 file10 76 C:\Users\user\read_it.txt, ASCII 33->76 dropped 78 C:\...\Built-In Building Blocks.dotx.598y, data 33->78 dropped 80 C:\Users\user\AppData\...\TURABIAN.XSL.652t, data 33->80 dropped 82 35 other malicious files 33->82 dropped 100 Deletes shadow drive data (may be related to ransomware) 33->100 102 Writes a notice file (html or txt) to demand a ransom 33->102 104 Uses bcdedit to modify the Windows boot settings 33->104 106 3 other signatures 33->106 53 cmd.exe 1 33->53         started        56 cmd.exe 1 33->56         started        58 cmd.exe 33->58         started        signatures11 process12 signatures13 124 May disable shadow drive data (uses vssadmin) 53->124 126 Deletes shadow drive data (may be related to ransomware) 53->126 128 Uses bcdedit to modify the Windows boot settings 53->128 60 WMIC.exe 1 53->60         started        62 conhost.exe 53->62         started        64 vssadmin.exe 1 53->64         started        66 bcdedit.exe 8 1 56->66         started        68 conhost.exe 56->68         started        70 bcdedit.exe 56->70         started        130 Deletes the backup plan of Windows 58->130 72 conhost.exe 58->72         started        74 wbadmin.exe 58->74         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa503ddb166aff5790a44dc1cf64840fb7251d2b509f7b3eeb072f59b5cc7aeb/
Threat name:
Win64.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 21:56:44 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjid3wywnl7vpefejxa46zeeb63skhjlkcpxwpxla4xvtnomplvq._file
Verdict:
malicious
Similar samples:
22a2d7af185892d400b7b98c62dedaf8ff9bfdf65fcc7c6c20d4ca102452db6d
Chaos
2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f
Chaos
6d0429bb3533ea8cd3b10d207ec5505ac0d38692f7f4cd1375db7cd1aba0be6e
Chaos
7e598e4c17cfc92223c05bab3dc60f0b6325501e58ef34090e635557f29eef44
Chaos
c6f0810b4ca4c2e70a07eddcbd14459e875deced05f5619dfd4df6f49a2130a9
Chaos
fcd01c9fed690b2bad435c5bab5925cc1132c4c622f18af09d437f9e4957b84b
Chaos
+ 2'723 additional samples on MalwareBazaar
Result
Malware family:
chaos
Create hunting rule
Score:
  10/10
Tags:
family:chaos evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/221004-lw7nfsagep/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Deletes backup catalog
Disables Task Manager via registry modification
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Chaos
Chaos Ransomware
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/11685b8a-ed1a-4514-afe0-a938020a30b3
Unpacked files
SH256 hash:
aa503ddb166aff5790a44dc1cf64840fb7251d2b509f7b3eeb072f59b5cc7aeb
MD5 hash:
905fb6726a853b68c6d5d45f5b1bd0d5
SHA1 hash:
1549520335fac63de592a3cd6e28f8a8e7386690
Link:
https://www.unpac.me/results/0f16311e-2f09-4bef-b86b-ee27b79be44c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa503ddb166a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/aa503ddb166aff5790a44dc1cf64840fb7251d2b509f7b3eeb072f59b5cc7aeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316422/

Comments