MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 248ecff90346c947fda3ab80b686cdb4a3ea72ce5641a17e72b3cd48262d0b69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 248ecff90346c947fda3ab80b686cdb4a3ea72ce5641a17e72b3cd48262d0b69
SHA3-384 hash: e0543c97783383d0c6a4e538b1f7d91fd47c8b0b2f5e38a64ae720b1950676083292dbad9a924ca3b65435635c8e2d14
SHA1 hash: b47548e82ceec9e930b7a21651023fd0c7e83426
MD5 hash: 58e7485d3b615edfaa1be2dc05dff4f6
humanhash: grey-eighteen-eleven-crazy
File name:chthonic_2.23.15.15.vir
Download: download sample
Signature Chthonic
File size:141'824 bytes
First seen:2020-07-19 19:39:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a7ae66590381cf1dfa267d7e996f26bc
ssdeep 1536:5W9S4A8vMvmgMAPbCXX+NPLycXF/mMuhebDp7V3b7L8SwrI6+tnUM498BvbyBfDj:5dWKpD9RyIN2ebDpx0V9+tnUU9byBzD
TLSH 23D3018E68710973D58347F8AD0DF16A7DDBF2350628ED6AF7A142B619B32530DF200A
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.15.15

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247430 Sample: chthonic_2.23.15.15.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Detected non-DNS traffic on DNS port 2->58 60 2 other signatures 2->60 9 chthonic_2.23.15.15.exe 2->9         started        13 cwindowssidebar.exe 2->13         started        15 cwindowssidebar.exe 2->15         started        process3 dnsIp4 52 2.23.15.15 AKAMAI-ASN1EU European Union 9->52 70 Writes to foreign memory regions 9->70 17 msiexec.exe 77 3 9->17         started        21 msiexec.exe 13->21         started        23 msiexec.exe 15->23         started        signatures5 process6 file7 43 C:\Users\user\AppData\...\cwindowssidebar.exe, PE32 17->43 dropped 62 Creates an undocumented autostart registry key 17->62 64 Hides the Windows control panel from the task bar 17->64 66 Disables Windows Defender (deletes autostart) 17->66 68 6 other signatures 17->68 25 cmd.exe 1 17->25         started        27 cmd.exe 1 17->27         started        signatures8 process9 process10 29 cwindowssidebar.exe 25->29         started        32 conhost.exe 25->32         started        34 cwindowssidebar.exe 27->34         started        36 conhost.exe 27->36         started        signatures11 72 Antivirus detection for dropped file 29->72 74 Multi AV Scanner detection for dropped file 29->74 76 Machine Learning detection for dropped file 29->76 38 msiexec.exe 2 29->38         started        78 Writes to foreign memory regions 34->78 41 msiexec.exe 34->41         started        process12 dnsIp13 45 89.18.27.167, 53 MGA-RO-ASRO Romania 38->45 48 139.59.23.241, 53, 61820 DIGITALOCEAN-ASNUS Singapore 38->48 50 5 other IPs or domains 38->50 signatures14 80 Detected non-DNS traffic on DNS port 48->80
Threat name:
Win32.Trojan.Wauchos
Status:
Malicious
First seen:
2018-03-28 16:55:54 UTC
AV detection:
28 of 31 (90.32%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Behaviour
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Modifies service
Adds Run key to start application
Checks whether UAC is enabled
Checks for any installed AV software in registry
Deletes itself
Loads dropped DLL
Executes dropped EXE
Disables taskbar notifications via registry modification
Modifies Windows Defender Real-time Protection settings
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments