MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb69b4b5637a6b7aa40ba7ae56ed617d375f67984c3028a7607e1764fdda8490. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chaos


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb69b4b5637a6b7aa40ba7ae56ed617d375f67984c3028a7607e1764fdda8490
SHA3-384 hash: 0faeec5c274635ff00f9a029c88729a51bb19c5f330f6564742c875817433e787f004e91cbe84e9b4f2d58afb4052a41
SHA1 hash: fa047c9a9e8dc5fa2f92ad34e02e309edfcd0b61
MD5 hash: 5fdd033b614e18f7ebbfca2e7d6a1996
humanhash: nine-alabama-indigo-hot
File name:as55.exe
Download: download sample
Signature Chaos
Create hunting rule
File size:1'889'792 bytes
First seen:2022-10-21 02:39:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (422 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:3Dmghls3y1+XfWL6Vcp5/e2JtJA6O33q74dXV:Tmghls5Bq/nnA3q74d
Threatray 2 similar samples on MalwareBazaar
TLSH T1439533728AA79057D401353E7BA89054D083921DE5B2959F12ABC44F007BBAFBF8DBC7
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter r3dbU7z
Tags:Chaos exe golang Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
640
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
as55.exe
Verdict:
Malicious activity
Analysis date:
2022-10-21 02:39:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bec382ed-1271-4a5b-9a1d-66d9b71b78f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322168/
Detection(s):
Win.Malware.Lazy-9969515-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Creating a file
Sending a custom TCP request
Launching a process
Creating a window
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/635206841b976e20e2c2b36b/reports/bbd64f56-351a-4a73-b9c5-a5a70d95623b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/675f4556-4790-4783-8530-a998793683ba
Result
Threat name:
Chaos
Create hunting rule
Detection:
malicious
Classification:
troj.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094585
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many different private IPs (likely to spread or exploit)
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Yara detected Chaos
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb69b4b5637a6b7aa40ba7ae56ed617d375f67984c3028a7607e1764fdda8490/
Threat name:
Win32.Ransomware.Foreign
Create hunting rule
Status:
Malicious
First seen:
2022-09-16 12:02:03 UTC
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nu3jnldpjvxvjalu6xfn3lbpu3v6z4yjqycrj3apylwj7o2qsia._file
Verdict:
malicious
Similar samples:
27c9e57a7b2ab447e43f4053c05c9dea128811255f9fe9e7722ee26a834bfd38
Chaos
f2d15ae071e44f720e0351ff7aec9772adeefe7243d0804997f3b85fceb1dbff
Chaos
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/221021-c5wg4sghdm/
Behaviour
Adds Run key to start application
UPX packed file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0de5c905-3301-49c4-92b5-0daf2506a47c
Unpacked files
SH256 hash:
45680b3402dc7ae2f51f75bafbfddb8a29398818a48a6857342ea6385ad66b11
MD5 hash:
39e4a0ce647546325d46532c743d1dc9
SHA1 hash:
7b1f1936a38edfe9cd2e4940f70db4a6257bc9eb
Link:
https://www.unpac.me/results/e0d5283d-6db0-4bb9-bb02-2183c69e16be/
SH256 hash:
fb69b4b5637a6b7aa40ba7ae56ed617d375f67984c3028a7607e1764fdda8490
MD5 hash:
5fdd033b614e18f7ebbfca2e7d6a1996
SHA1 hash:
fa047c9a9e8dc5fa2f92ad34e02e309edfcd0b61
Link:
https://www.unpac.me/results/e0d5283d-6db0-4bb9-bb02-2183c69e16be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/fb69b4b5637a6b7aa40ba7ae56ed617d375f67984c3028a7607e1764fdda8490

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Chaos

Executable exe fb69b4b5637a6b7aa40ba7ae56ed617d375f67984c3028a7607e1764fdda8490

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/322168/

Comments