{
	"id": "fcce0ddf-085e-4f15-8f84-675c05dce960",
	"created_at": "2026-04-10T03:21:35.446831Z",
	"updated_at": "2026-04-10T03:22:18.115237Z",
	"deleted_at": null,
	"sha1_hash": "3c04bb92619778234f4198db2338d6de263a5aa7",
	"title": "Inside Chimera Ransomware – the first ‘doxingware’ in wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 870296,
	"plain_text": "Inside Chimera Ransomware – the first ‘doxingware’ in wild\r\nBy hasherezade\r\nPublished: 2015-12-08 · Archived: 2026-04-10 03:03:51 UTC\r\nRansomware have proven to be a good source of money for cybercriminals. Not surprisingly, we are nowadays\r\nfacing various families of this type of malware, i.e Cryptowall, CTB-Locker,Teslacrypt to name a few.\r\nRecently, one more joined this set: Chimera, that is distributed via targeted e-mails to small companies.\r\nAt the first sight, it appears like yet another malware encrypting user’s private files and demanding ransom for\r\ndecrypting it. But it added to this feature one more twist that is supposed to put more pressure on the victim. It\r\nthreatens that in case if the ransom will not be paid, all the stolen files are going to be published, along with the\r\nstolen credentials allowing to identify files’ owner*.\r\nThis blackmail technique, called doxing provides much more serious threat than just loosing access to files. Also,\r\nkeeping backups, that helps to manage attack of a normal ransomware would not help much. I think it will be fair\r\nto make a new term to describe this new subtype of ransomware, for example: doxingware.\r\n*- Fortunately in case of Chimera authors didn’t decided to really upload the files on the server, so it is only a\r\nbogus threat. Yet, from the point of view of the victim the pressure is very real.\r\nThis time we will take a high and low level view at Chimera, in order to understand the techniques used.\r\nAnalyzed samples\r\nI will base on following three samples, captured by @JAMESWT_MHT // – big thanks to him for sharing! 🙂\r\n8956cf38e5b6941921a3a2788f50a871\r\ne6922a68fca90016584ac48fc7722ef8\r\n60fabd1a2509b59831876d5e2aa71a6b  –  Stub.exe \u003c- chosen as the main object of the analysis\r\n8df3534fe1ae95fc8c22cb85aed15336 – payload (Loader.dll)\r\n0a27affc77bd786beff69aa1f502d694 – payload (Core.dll)\r\nBehavioral analysis\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 1 of 15\n\nWhen deployed, Chimera enumerates files on all the available disks and encrypts documents recognized by some\r\npredefined extensions.\r\nThis is an example of what you may see, if on your machine Chimera was deployed – some files have been\r\nsubstituted by their encrypted versions with the appended extension .crypt.\r\nSee below a visualization of bytes.\r\nsquare.bmp : left – original, right encrypted with Chimera:\r\nAlso, there is an HTML file dropped, that teaches user what happened. The HTML can be displayed in two\r\nlanguages – English and German. Below the English version:\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 2 of 15\n\nAt the bottom of the HTML file we can read that, in addition to blackmail, attackers also search people willingly\r\nto cooperate – probably for franchising their criminal business. More info about it is available in the source of the\r\nHTML:\r\nAfter the process of encryption of all the files is finished, this HTML is displayed in full screen mode via Internet\r\nExplorer.\r\nUnpacking\r\nTwo out of three malicious samples (60fabd1a2509b59831876d5e2aa71a6b,\r\ne6922a68fca90016584ac48fc7722ef8) are packed by the same .NET crypter, so I decided to give a brief overview\r\non unpacking this crypter.\r\nIt is not obfuscated and can be easily decompiled by typical tools i.e. ILSpy. Looking at function names, we can\r\nget a lot of information about the functionality, i.e it loads the payload by the RunPE technique:\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 3 of 15\n\n(full Stub.cs: https://gist.github.com/hasherezade/5b742b46df4f79fdb784)\r\n[code language=”csharp” title=”Stub.cs” firstline=”600″] public static void Main() { byte[] rawAssembly =\r\nStub.decrypt(Stub.pe, Stub.decode(BASE64_ENCODED_KEY)); Stub.run_pe(rawAssembly); }\r\nprivate static void run_pe(byte[] rawAssembly) { new Stub.ManualMap().LoadLibrary(rawAssembly); } [/code]\r\nThis author of the crypter didn’t relied on simple XOR based algorithm – instead, provided a custom\r\nimplementation of a block cipher (Rijndael). We can find variables with familiar names like: sbox, inv_sbox\r\n(inverse S-Box), Rcon (the Round Constant), Nr, Nb, Nk… Fragment:\r\n// Stub private static byte[] decrypt(byte[] input, byte[] key) { byte[] array = new byte[input\r\nPayloads\r\nLoader.dll\r\nmd5 = 8df3534fe1ae95fc8c22cb85aed15336\r\nThe file unpacked by Stub.exe is a DLL. It comes with a string referring to a database with debug symbols of the\r\nproject, suggesting that it is not the core payload, but just a loader for it:\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 4 of 15\n\nC:ProjectsRansombinReleaseLoader.pdb. In fact, it role is just to unpack and load the core executable.\r\nAutomatic analysis: https://malwr.com/analysis/Zjc0MDg0ZmRlMjhkNGYxZTlmZWI1NzIxMTlhYmEyODU/\r\nLoader.dll unpacks a new PE file, writes into process memory and runs it in a new thread:\r\nCore.dll\r\nmd5 = 0a27affc77bd786beff69aa1f502d694\r\nThe original name of the executable unpacked by the Loader is Core.dll (it also comes with a analogical string:\r\nC:ProjectsRansombinReleaseCore.pdb) and is responsible for all the malicious activities.\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 5 of 15\n\nAt this stage we can see clearly all the strings and api calls. Also, the full list of extensions of files that are going\r\nto be encrypted. (Full list of strings: https://gist.github.com/hasherezade/ceef1c2fed2c70f37d6e)\r\nDllMain sets a mutex automatically generated from the volume serial number (to ensure that the malware is not\r\nrun more than once), and then starts a new thread that deploys following three procedures:\r\nIn the function start_network_thread Chimera prepares all the data to be sent to the C\u0026C and after that deploys\r\na new thread, that handles all the network-related operations.\r\nFirst is the information gathering phase. The victim ID is generated basing on hardware – also, some other\r\ninformation about the local machine is collected: computer name and external IP (by querying address:\r\nbot.whatismyipaddress.com – if the computer is offline 0.0.0.0 is used as the IP). This data, along with the\r\ngenerated bitcoin wallet address and a generated key pair are supplied as a parameter to the newly created thread.\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 6 of 15\n\nIt is deployed before the process of file encryptions starts – and the public key from this pair is passed forward to\r\nthe function encrypting files.\r\nFile encryption function (beginning):\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 7 of 15\n\nPreparing random symmetric key for each file:\r\nThe public key (marked purple) is passed to the function responsible for generating random key for each file.\r\nEvery symmetric key is encrypted by the public key and then stored in the file:\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 8 of 15\n\nFile is processed chunk by chunk:\r\nthen,saved under the name with suffix .crypt added:\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 9 of 15\n\nCommunication\r\nChimera authors have chosen Bitmessage P2P protocol for the communication with C\u0026C (as well as for the\r\ncontact with eventual recruits).\r\nTo bootstrap the connection the bot uses two hard-coded hosts and receives addresses from them.\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 10 of 15\n\nMind the fact, that those addresses are not C\u0026Cs of the malware, but just nodes of Bitmessage. Below – fragment\r\nof original file from Bitmessage protocol:\r\nSample response from one of the servers (95.165.168.168):\r\nUsing the received list, it starts a new Bitmessage connection and sends there an object:\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 11 of 15\n\nExample of sending an object (containing client data) to a new address: 79.218.142.200:\r\nThe same protocol is used also to obtain the private key when the ransom is payed. Below – fragment of code of\r\ndecompiled Decrypter:\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 12 of 15\n\nDecrypter\r\nDecrypter is delivered as an .msi installer. It have very friendly user interface and guides a victim through full\r\nprocess of decrypting files.\r\nHowever, to work properly it requires that the full environment will be set as the malware left it. If we remove\r\nransom notes of try to decrypt files moved from another computer – we will have unpleasant surprise.\r\nDecrypter fetches bitcoin wallet address from the ransom notes – that’s why leaving it is necessary to make it\r\nwork. Also, a hardware ID generated for the current machine must be the same like of the machine on which files\r\nhave been encrypted. Decryption proceeds only if the payment to a particular address have been received.\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 13 of 15\n\nDecoder is an executable written in C# and can be easily decompiled. However, it’s core functions related to\r\ndecrypting and hardware id generation are imported from and external dll (that is included in the decoder’s\r\npackage):\r\nExport table of PolarSSLWrapper.dll:\r\nConclusion\r\nChimera does not have any outstanding obfuscation and once we unpack the core, analysis becomes easy.\r\nHowever, it comes with several ideas that are novel and may slowly become a new trend.\r\nIt’s communication over P2P protocol is an interesting countermeasure from botnet take down. Also, the idea of\r\nblackmailing the user by leaking documents was not found in any malware before. In this case authors ended on\r\nbogus threats (sending huge amount of files to the C\u0026C and storing them is much more costly) – but the idea itself\r\nis dangerous.\r\nIf others cybercriminals will get inspired and decide to implement it, we will have a new headache.\r\nAppendix\r\nhttp://www.techwalls.com/chimera-ransomware-now-even-harder-decrypt/ – about Chimera’s distribution method\r\nhttp://www.bleepingcomputer.com/news/security/chimera-ransomware-uses-a-peer-to-peer-decryption-service/ –\r\nmore about Chimera’s communication\r\nAbout the author\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 14 of 15\n\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nhttps://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild"
	],
	"report_names": [
		"inside-chimera-ransomware-the-first-doxingware-in-wild"
	],
	"threat_actors": [],
	"ts_created_at": 1775791295,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c04bb92619778234f4198db2338d6de263a5aa7.pdf",
		"text": "https://archive.orkl.eu/3c04bb92619778234f4198db2338d6de263a5aa7.txt",
		"img": "https://archive.orkl.eu/3c04bb92619778234f4198db2338d6de263a5aa7.jpg"
	}
}