MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c
SHA3-384 hash: 3d36f595872a95dc8e627a0b860195751c18c4c5be71f53ca7405b9d5457e296c37a9ced6d5480b377edcda15411850a
SHA1 hash: a6465ab1188bbcfe23c3c81ed4c023235855f05a
MD5 hash: 59e4c8cd9cd8b169a7f7a1dfc6c5bffc
humanhash: victor-uncle-india-beer
File name:ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c
Download: download sample
Signature Chaos
Create hunting rule
File size:19'383'808 bytes
First seen:2024-09-04 12:16:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (36 x CoinMiner, 19 x AsyncRAT, 18 x QuasarRAT)
ssdeep 393216:xLzGo9tdxASne3v0i6E9+3rE0PmtF0CwJcYHJPDl+XFJ1a3MObmrrCq21t1:MFSe/eE9+40PjN6Ypx+Xs3MOQ
TLSH T1201723A87EC5B8F8E76F5D7202CEF536A212216FD502F65EC136F781C9531022A13E5A
TrID 35.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
22.5% (.EXE) Win64 Executable (generic) (10523/12/4)
10.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.6% (.EXE) Win32 Executable (generic) (4504/4/1)
4.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter JAMESWT_WT
Tags:Chaos exe master-repogen-vercel-app

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c
Verdict:
Malicious activity
Analysis date:
2024-09-04 12:21:12 UTC
Tags:
pyinstaller discordgrabber generic stealer waspstealer python discord evasion crypto-regex chaos ransomware
Link:
https://app.any.run/tasks/23028c43-cfad-4bc2-be96-b45936a86525

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.56514.31132.24643.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d84fcbf3d7ccf99f8fedb1
Tags:
Discovery Execution Network Stealth Trojan Lazy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Running batch commands
DNS request
Connection attempt
Delayed reading of the file
Creating a file in the %AppData% directory
Sending a custom TCP request
Launching a service
Searching for synchronization primitives
Modifying an executable file
Changing a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Preventing system recovery
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66d84fc4e5814f66e358c46c/reports/305337e5-71ae-4513-aca5-7aa154b9d3ba/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c
Result
Verdict:
MALICIOUS
Malware family:
CHAOS Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d1224cb-660d-4114-8cba-9a075791edf7
Result
Threat name:
Python Stealer, CStealer, Chaos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1504075
Signature
.NET source code contains very large strings
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Connects to a pastebin service (likely for C&C)
Contains functionality to disable the Task Manager (.Net Source)
Creates files inside the volume driver (system volume information)
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Encrypted powershell cmdline option found
Found ransom note / readme
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Sigma detected: Delete shadow copy via WMIC
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Writes many files with high entropy
Yara detected Chaos Ransomware
Yara detected CStealer
Yara detected Generic Python Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1504075 Sample: qlk8old6p9.exe Startdate: 04/09/2024 Architecture: WINDOWS Score: 100 107 rentry.co 2->107 109 tse1.mm.bing.net 2->109 111 2 other IPs or domains 2->111 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus / Scanner detection for submitted sample 2->119 121 Multi AV Scanner detection for submitted file 2->121 125 15 other signatures 2->125 10 qlk8old6p9.exe 3 2->10         started        14 Console Window Host.exe 2->14         started        16 wbengine.exe 2->16         started        18 5 other processes 2->18 signatures3 123 Connects to a pastebin service (likely for C&C) 107->123 process4 dnsIp5 105 C:\Users\user\AppData\Local\Temp\Mai.exe, PE32+ 10->105 dropped 155 Encrypted powershell cmdline option found 10->155 157 Deletes shadow drive data (may be related to ransomware) 10->157 159 Writes many files with high entropy 10->159 21 Mai.exe 151 10->21         started        25 Main.exe 5 10->25         started        27 powershell.exe 22 10->27         started        161 Uses bcdedit to modify the Windows boot settings 14->161 163 Tries to harvest and steal browser information (history, passwords, etc) 14->163 29 cmd.exe 14->29         started        31 cmd.exe 14->31         started        33 cmd.exe 14->33         started        35 notepad.exe 14->35         started        165 Creates files inside the volume driver (system volume information) 16->165 113 127.0.0.1 unknown unknown 18->113 file6 signatures7 process8 file9 87 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 21->87 dropped 89 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->89 dropped 91 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 21->91 dropped 95 106 other malicious files 21->95 dropped 127 Multi AV Scanner detection for dropped file 21->127 37 Mai.exe 21->37         started        93 C:\Users\user\...\Console Window Host.exe, PE32 25->93 dropped 129 Deletes shadow drive data (may be related to ransomware) 25->129 40 Console Window Host.exe 2 1002 25->40         started        131 Loading BitLocker PowerShell Module 27->131 44 conhost.exe 27->44         started        133 May disable shadow drive data (uses vssadmin) 29->133 46 conhost.exe 29->46         started        48 vssadmin.exe 29->48         started        50 WMIC.exe 29->50         started        135 Uses bcdedit to modify the Windows boot settings 31->135 52 conhost.exe 31->52         started        54 2 other processes 31->54 137 Deletes the backup plan of Windows 33->137 56 2 other processes 33->56 signatures10 process11 dnsIp12 115 rentry.co 172.67.75.40, 443, 49709 CLOUDFLARENETUS United States 37->115 58 cmd.exe 1 37->58         started        97 C:\Users\user\...\profiles.ini.DeathGrip, data 40->97 dropped 99 C:\Users\user\AppData\Roaming\...\read_it.txt, ASCII 40->99 dropped 101 C:\Users\user\AppData\...\prefs.js.DeathGrip, data 40->101 dropped 103 62 other malicious files 40->103 dropped 139 Deletes shadow drive data (may be related to ransomware) 40->139 141 Overwrites Mozilla Firefox settings 40->141 143 Uses bcdedit to modify the Windows boot settings 40->143 145 4 other signatures 40->145 61 cmd.exe 40->61         started        63 cmd.exe 40->63         started        65 cmd.exe 40->65         started        67 notepad.exe 40->67         started        file13 signatures14 process15 signatures16 147 May disable shadow drive data (uses vssadmin) 58->147 149 Deletes shadow drive data (may be related to ransomware) 58->149 151 Uses bcdedit to modify the Windows boot settings 58->151 69 conhost.exe 58->69         started        71 conhost.exe 61->71         started        73 vssadmin.exe 61->73         started        75 WMIC.exe 61->75         started        77 conhost.exe 63->77         started        79 bcdedit.exe 63->79         started        81 bcdedit.exe 63->81         started        153 Deletes the backup plan of Windows 65->153 83 conhost.exe 65->83         started        85 wbadmin.exe 65->85         started        process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c/
Threat name:
Win32.Ransomware.Apis
Create hunting rule
Status:
Malicious
First seen:
2024-07-04 14:58:17 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zju2hennwt7zuwuovhvyslggcdmi5tvbwsk57jgk64t4mdoieywa._file
Verdict:
malicious
Result
Malware family:
chaos
Create hunting rule
Score:
  10/10
Tags:
family:chaos credential_access defense_evasion discovery evasion execution impact persistence pyinstaller ransomware spyware stealer
Link:
https://tria.ge/reports/240904-pf2n2s1dqc/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Sets desktop wallpaper using registry
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Deletes backup catalog
Disables Task Manager via registry modification
Credentials from Password Stores: Credentials from Web Browsers
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (181) files with added filename extension
Chaos
Chaos Ransomware
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f601a4cd-d267-4b13-a9d1-5e1b3daebae4
Unpacked files
SH256 hash:
8ae1d9e815abc504d01b48ecf21e4133b34b4b3e4a0e93804f44f8a9b328bd5d
MD5 hash:
f55de5b6c0d9f50f0c60f756f7fe95d8
SHA1 hash:
560065e8fbc3eb7743c74d3300d73db16141fd1f
Link:
https://www.unpac.me/results/f7722517-1286-48d1-b4ad-03429977485b/
SH256 hash:
ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c
MD5 hash:
59e4c8cd9cd8b169a7f7a1dfc6c5bffc
SHA1 hash:
a6465ab1188bbcfe23c3c81ed4c023235855f05a
Link:
https://www.unpac.me/results/f7722517-1286-48d1-b4ad-03429977485b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca69a391adb4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca69a391adb4ff9a5a8ea9eb892cc610d88ecea1b495dfa4caf727c60dc8262c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments