MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8a277a731485717c01a7d20fb6af795fa823a219b9b01ee2f476889610a28da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8a277a731485717c01a7d20fb6af795fa823a219b9b01ee2f476889610a28da
SHA3-384 hash: b480e5b7f9fc797459230d0084fe968008bb0a31d52f257903f2341df4270380394a19da324719f3d5a5e68d42578006
SHA1 hash: 1f61dc040fc2a830028060b8ba7f23a180e5a51f
MD5 hash: 40d3bd592cbeefff05b530ad8450c960
humanhash: whiskey-lactose-mirror-bacon
File name:2023-02-17_40d3bd592cbeefff05b530ad8450c960_wannacry
Download: download sample
Signature Chaos
Create hunting rule
File size:2'843'136 bytes
First seen:2023-02-18 16:28:56 UTC
Last seen:2023-02-18 16:29:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'856 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 24576:oKS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfE:oKSy6PX3PpM+P5Id
Threatray 857 similar samples on MalwareBazaar
TLSH T1B2D52D3839EA9019F1B3EF7A6FD4B9D7DA9FB7733A0294191081034B4623A81DD9153E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0f4b27959b2f4f0 (6 x Chaos, 2 x WannaCry)
Reporter petikvx
Tags:Chaos

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2023-02-17_40d3bd592cbeefff05b530ad8450c960_wannacry
Verdict:
Malicious activity
Analysis date:
2023-02-18 16:29:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0bb40fff-dc9c-4c6c-a534-66da1ea77885

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Chaos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/368147/
Detection(s):
Win.Ransomware.Hydracrypt-9878672-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a service
Launching a process
Searching for synchronization primitives
Changing a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Preventing system recovery
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Stealing user critical data
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker cmd.exe filecoder hydracrypt ransomware ransomx
Link:
https://www.filescan.io/uploads/63f0fccf4cf031c9c07a24e7/reports/739f47e1-24da-4dbc-ac2e-06b994de3277/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b8a277a731485717c01a7d20fb6af795fa823a219b9b01ee2f476889610a28da
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1520ca7e-c32e-4c5a-ab49-dd34cffee472
Result
Threat name:
Chaos
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1178698
Signature
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Disables the Windows task manager (taskmgr)
Drops PE files with benign system names
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Writes many files with high entropy
Yara detected Chaos Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 811524 Sample: 2WwkHiQkMO.exe Startdate: 18/02/2023 Architecture: WINDOWS Score: 100 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 4 other signatures 2->94 8 2WwkHiQkMO.exe 5 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 12 other processes 2->16 process3 file4 76 C:\Users\user\AppData\Roaming\svchost.exe, PE32 8->76 dropped 110 Drops PE files with benign system names 8->110 18 svchost.exe 2 502 8->18         started        112 Deletes shadow drive data (may be related to ransomware) 12->112 114 Uses bcdedit to modify the Windows boot settings 12->114 116 Tries to harvest and steal browser information (history, passwords, etc) 12->116 23 cmd.exe 12->23         started        25 cmd.exe 12->25         started        27 cmd.exe 12->27         started        29 cmd.exe 12->29         started        118 Changes security center settings (notifications, updates, antivirus, firewall) 14->118 31 conhost.exe 16->31         started        signatures5 process6 dnsIp7 78 192.168.2.1 unknown unknown 18->78 68 C:\...\APASixthEditionOfficeOnline.xsl.7h9o, data 18->68 dropped 70 C:\Users\user\AppData\...\4es7jlvlt.jpg.r2po, data 18->70 dropped 72 C:\...\0.0.filtertrie.intermediate.txt.asiw, data 18->72 dropped 74 52 other malicious files 18->74 dropped 96 Multi AV Scanner detection for dropped file 18->96 98 Creates files inside the volume driver (system volume information) 18->98 100 Deletes shadow drive data (may be related to ransomware) 18->100 108 3 other signatures 18->108 33 cmd.exe 1 18->33         started        36 cmd.exe 1 18->36         started        38 cmd.exe 18->38         started        102 May disable shadow drive data (uses vssadmin) 23->102 40 conhost.exe 23->40         started        42 vssadmin.exe 23->42         started        44 WMIC.exe 23->44         started        104 Uses bcdedit to modify the Windows boot settings 25->104 48 3 other processes 25->48 106 Deletes the backup plan of Windows 27->106 50 2 other processes 27->50 46 conhost.exe 29->46         started        file8 signatures9 process10 signatures11 80 May disable shadow drive data (uses vssadmin) 33->80 82 Deletes shadow drive data (may be related to ransomware) 33->82 84 Uses bcdedit to modify the Windows boot settings 33->84 52 WMIC.exe 1 33->52         started        54 conhost.exe 33->54         started        56 vssadmin.exe 1 33->56         started        58 bcdedit.exe 8 1 36->58         started        60 bcdedit.exe 7 1 36->60         started        62 conhost.exe 36->62         started        86 Deletes the backup plan of Windows 38->86 64 conhost.exe 38->64         started        66 wbadmin.exe 38->66         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8a277a731485717c01a7d20fb6af795fa823a219b9b01ee2f476889610a28da/
Threat name:
ByteCode-MSIL.Ransomware.FileCoder
Create hunting rule
Status:
Malicious
First seen:
2023-02-17 13:56:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
29 of 39 (74.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcrhpjzrjblrpqa2puqpw2xxsx5ieorbtonqd3rpi5uisyikfdna._file
Verdict:
malicious
Similar samples:
085a2a09cfdab9a65f50fa2ad4bdd21645463bd36e8a01b9b5a4accabc1c5055
Chaos
649d0574000b38f08e0c76018f8e4267a5e9c22a714b9c4138838ba91ef94b92
Chaos
6b8e57d157a7d0567aa89b96bfedc463c1b46b6c2536dcdcd57a24c84cc45d3b
Chaos
6caaa5d65e3143c125dfaded69bd9c4ba7b6e0594c2328ed3de0c7bcabe0ed2f
Chaos
7e8dcb5774663532ad7100c5a702c3deb32a1bd6eeacba1a1145adec6c88ae03
Chaos
c6f33250cd71b939f5514170a1e7ba3d0a996a3a7bfc3156e1ae6654b55c7c01
Chaos
d2238bcff8d4ff94256c8df702a31182763fa55325040cd484bc9abae2e69c5a
Chaos
+ 847 additional samples on MalwareBazaar
Result
Malware family:
chaos
Create hunting rule
Score:
  10/10
Tags:
family:chaos evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/230218-ty8brscg33/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Deletes backup catalog
Disables Task Manager via registry modification
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Chaos
Chaos Ransomware
Unpacked files
SH256 hash:
b8a277a731485717c01a7d20fb6af795fa823a219b9b01ee2f476889610a28da
MD5 hash:
40d3bd592cbeefff05b530ad8450c960
SHA1 hash:
1f61dc040fc2a830028060b8ba7f23a180e5a51f
Link:
https://www.unpac.me/results/c994b212-85e3-4d7b-9287-dbf8acabea1d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8a277a73148/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b8a277a731485717c01a7d20fb6af795fa823a219b9b01ee2f476889610a28da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Author:ditekSHen
Description:Detects executables containing many references to VEEAM. Observed in ransomware
Rule name:MALWARE_Win_Chaos
Create hunting rule
Author:ditekSHen
Description:Detects Chaos ransomware
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/368147/

Comments