MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ba80718b5c68cf563db5bcda51606472b0b1e7bd52f9698383068cb935aad99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 3ba80718b5c68cf563db5bcda51606472b0b1e7bd52f9698383068cb935aad99
SHA3-384 hash: 7e84ae117b55e001e7c2980a23334e9456fe1e96004f7060c0a9a624c505aac45d3afef5cf913cfbdc0b5c4f8aa26fe4
SHA1 hash: f5724a63620621be8930972897da28c088547706
MD5 hash: aba6f9b372254cf34879ddc5283927c9
humanhash: massachusetts-tennis-pluto-green
File name:chthonic_2.23.17.1.vir
Download: download sample
Signature Chthonic
File size:154'816 bytes
First seen:2020-07-19 19:26:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 240ec44ac4fd9c1359c77209719a1838
ssdeep 3072:ffEqXFLAh/GMRRxxHqsEk8vNqGyz9Q9G0NW9/BnecPfDUBEqIHNqRUiAw:ffEOM0MLxxiNxyho7NIP7UBEXkRIw
TLSH 7EE301746F26A4A3F79BC7B0407509358DB2F5CEB304A59B079691BB7DB0F880E1A21C
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.17.1

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Windows shutdown
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Hiding the Action Center notifications
Blocking the User Account Control
Blocking Windows Firewall launch
Blocking the Windows Defender launch
Hiding the taskbar notifications
Deleting of the original file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247284 Sample: chthonic_2.23.17.1.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 106 Antivirus / Scanner detection for submitted sample 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 Detected non-DNS traffic on DNS port 2->110 112 2 other signatures 2->112 12 chthonic_2.23.17.1.exe 1 2->12         started        17 dLite.exe 1 2->17         started        19 dLite.exe 1 2->19         started        process3 dnsIp4 97 2.23.17.1 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 12->97 91 C:\Users\user\AppData\Local\TempC72.tmp, PE32 12->91 dropped 142 Detected unpacking (changes PE section rights) 12->142 144 Detected unpacking (overwrites its own PE header) 12->144 146 Writes to foreign memory regions 12->146 21 msiexec.exe 1 4 12->21         started        93 C:\Users\user\AppData\Local\Temp\5F31.tmp, PE32 17->93 dropped 25 msiexec.exe 2 17->25         started        95 C:\Users\user\AppData\Local\Temp\8084.tmp, PE32 19->95 dropped 27 msiexec.exe 1 19->27         started        file5 signatures6 process7 file8 77 C:\Users\user\AppData\Roaming\...\dLite.exe, PE32 21->77 dropped 79 C:\Users\user\AppData\Local\Temp\1EEC.tmp, PE32 21->79 dropped 126 Creates multiple autostart registry keys 21->126 128 Deletes itself after installation 21->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->130 29 cmd.exe 1 21->29         started        81 C:\Users\user\AppData\Local\Temp\998A.tmp, PE32 25->81 dropped 31 cmd.exe 25->31         started        83 C:\Users\user\AppData\Local\Temp\B63A.tmp, PE32 27->83 dropped signatures9 process10 process11 33 dLite.exe 1 29->33         started        37 conhost.exe 29->37         started        39 dLite.exe 31->39         started        41 conhost.exe 31->41         started        file12 73 C:\Users\user\AppData\Local\Temp\4291.tmp, PE32 33->73 dropped 114 Antivirus detection for dropped file 33->114 116 Detected unpacking (changes PE section rights) 33->116 118 Detected unpacking (overwrites its own PE header) 33->118 120 Machine Learning detection for dropped file 33->120 43 msiexec.exe 76 2 33->43         started        75 C:\Users\user\AppData\Local\Temp\86F8.tmp, PE32 39->75 dropped 122 Writes to foreign memory regions 39->122 47 msiexec.exe 39->47         started        signatures13 process14 file15 89 C:\Users\user\AppData\Local\Temp\8ECC.tmp, PE32 43->89 dropped 134 Creates an undocumented autostart registry key 43->134 136 Hides the Windows control panel from the task bar 43->136 138 Disables Windows Defender (deletes autostart) 43->138 140 5 other signatures 43->140 49 cmd.exe 1 43->49         started        51 cmd.exe 43->51         started        signatures16 process17 process18 53 dLite.exe 1 49->53         started        57 conhost.exe 49->57         started        59 dLite.exe 51->59         started        61 conhost.exe 51->61         started        file19 85 C:\Users\user\AppData\Local\Temp\C127.tmp, PE32 53->85 dropped 132 Writes to foreign memory regions 53->132 63 msiexec.exe 2 1 53->63         started        87 C:\Users\user\AppData\Local\Temp4DC.tmp, PE32 59->87 dropped 67 msiexec.exe 59->67         started        signatures20 process21 dnsIp22 99 62.113.203.55, 53 TTMDE Germany 63->99 102 62.113.203.99, 53 TTMDE Germany 63->102 104 2 other IPs or domains 63->104 69 C:\Users\user\AppData\Local\Temp\257F.tmp, PE32 63->69 dropped 71 C:\Users\user\AppData\Local\Temp\5941.tmp, PE32 67->71 dropped file23 124 Detected non-DNS traffic on DNS port 102->124 signatures24
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2018-03-30 18:27:55 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware bootkit evasion trojan persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System policy modification
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
System policy modification
Modifies service
Modifies service
Checks for any installed AV software in registry
Checks whether UAC is enabled
Adds Run key to start application
Checks for any installed AV software in registry
Checks whether UAC is enabled
Adds Run key to start application
Deletes itself
Loads dropped DLL
Deletes itself
Loads dropped DLL
Executes dropped EXE
Disables taskbar notifications via registry modification
Disables taskbar notifications via registry modification
Modifies WinLogon to allow AutoLogon
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments