MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24b9bdeec3ac3558962cd44f20b4d356f8692eb2629816ba1641b12866a3a55e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 24b9bdeec3ac3558962cd44f20b4d356f8692eb2629816ba1641b12866a3a55e
SHA3-384 hash: 8bffe5ae2ebf1af8b31b66c83891bcf9c637fec652f1bb030ea0caf2fc9f04e82b6c5725a3e5278ebd57a33c9be986c6
SHA1 hash: 3b3d7a09d8bee533d727c4e4bcb43b1b5aa61a2a
MD5 hash: 1a1e3f3fcbd85521783f2d125af961f8
humanhash: social-december-hawaii-virginia
File name:chthonic_2.23.17.2.vir
Download: download sample
Signature Chthonic
File size:364'544 bytes
First seen:2020-07-19 19:24:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a3a903d80052db20fff9783f20cadaf
ssdeep 6144:dBuc3nTZTPV3WQmkekYNNEqNi64dTY+V+z86CxjxEFMFYvFqMOz4CSM:dnXTZTP82ekUJEdTYrkjxEFOQ4MOz
TLSH 5D74F0E5B9821C38F08A0DF55A616158E4662F2EFD375F990931B42CB93B352FBD0227
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.17.2

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247256 Sample: chthonic_2.23.17.2.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 89 Antivirus / Scanner detection for submitted sample 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 Machine Learning detection for sample 2->93 95 Binary contains a suspicious time stamp 2->95 12 chthonic_2.23.17.2.exe 1 2->12         started        17 BWindowsMail.exe 1 2->17         started        19 BWindowsMail.exe 1 2->19         started        process3 dnsIp4 87 2.23.17.2 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 12->87 81 C:\Users\user\AppData\Local\Temp251.tmp, PE32 12->81 dropped 119 Writes to foreign memory regions 12->119 21 msiexec.exe 1 4 12->21         started        83 C:\Users\user\AppData\Local\Temp\8EFD.tmp, PE32 17->83 dropped 25 msiexec.exe 2 17->25         started        85 C:\Users\user\AppData\Local\Temp\AC0A.tmp, PE32 19->85 dropped 27 msiexec.exe 1 19->27         started        file5 signatures6 process7 file8 69 C:\Users\user\AppData\...\BWindowsMail.exe, PE32 21->69 dropped 71 C:\Users\user\AppData\Local\Temp\1CBB.tmp, PE32 21->71 dropped 103 Creates multiple autostart registry keys 21->103 105 Deletes itself after installation 21->105 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->107 29 cmd.exe 1 21->29         started        73 C:\Users\user\AppData\Local\Temp\C510.tmp, PE32 25->73 dropped 31 cmd.exe 25->31         started        75 C:\Users\user\AppData\Local\Temp7BB.tmp, PE32 27->75 dropped signatures9 process10 process11 33 BWindowsMail.exe 1 29->33         started        37 conhost.exe 29->37         started        39 BWindowsMail.exe 31->39         started        41 conhost.exe 31->41         started        file12 65 C:\Users\user\AppData\Local\Temp\7DC6.tmp, PE32 33->65 dropped 97 Antivirus detection for dropped file 33->97 99 Machine Learning detection for dropped file 33->99 101 Writes to foreign memory regions 33->101 43 msiexec.exe 76 2 33->43         started        67 C:\Users\user\AppData\Local\Temp\71AC.tmp, PE32 39->67 dropped 47 msiexec.exe 39->47         started        signatures13 process14 file15 79 C:\Users\user\AppData\Local\Temp\D731.tmp, PE32 43->79 dropped 111 Creates an undocumented autostart registry key 43->111 113 Hides the Windows control panel from the task bar 43->113 115 Disables Windows Defender (deletes autostart) 43->115 117 5 other signatures 43->117 49 cmd.exe 1 43->49         started        51 cmd.exe 43->51         started        signatures16 process17 process18 53 BWindowsMail.exe 1 49->53         started        57 conhost.exe 49->57         started        59 conhost.exe 51->59         started        61 BWindowsMail.exe 51->61         started        file19 77 C:\Users\user\AppData\Local\Temp\51C0.tmp, PE32 53->77 dropped 109 Writes to foreign memory regions 53->109 63 msiexec.exe 53->63         started        signatures20 process21
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2018-06-21 19:52:00 UTC
AV detection:
20 of 31 (64.52%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Behaviour
UPX packed file
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments