MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47206f220bd471dd4d387b5236af5dd7c66fea7ce79dc3a6cf82bd150604d1fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 47206f220bd471dd4d387b5236af5dd7c66fea7ce79dc3a6cf82bd150604d1fd
SHA3-384 hash: 317ed71dafdd5761722228ece1275d6d3979ac047ff86f7a003337db03dd69aa32024789e27eb4b72b3b7c0a907547b1
SHA1 hash: 88da0e648b8a9253d0475b9a485a61e39923d7a4
MD5 hash: dc9b8374562beab5c14711e871ad1821
humanhash: happy-freddie-cardinal-snake
File name:chthonic_2.23.18.8.vir
Download: download sample
Signature Chthonic
File size:434'888 bytes
First seen:2020-07-19 16:35:45 UTC
Last seen:2020-07-19 19:09:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f784f59a522b22315ef48dd97b499a6c
ssdeep 6144:yrvlAcr/tcNbTPpeqH4Sy8ambvg9D2pBE9dhiPf+PlEL16FpJ70ScrxKxTcXO4iK:YtFr8bTPgqYSyDm2nfiFKxTGhfUNT6tJ
TLSH C594AEEA0193E7A5CDC42DB1CA5D8BD050F241B0191B5FC2F7BA2826249F97633E972D
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.18.8

Intelligence


File Origin
# of uploads :
4
# of downloads :
18
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247118 Sample: chthonic_2.23.18.8.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Machine Learning detection for sample 2->64 66 Binary contains a suspicious time stamp 2->66 9 Autoit3N.exe 4 2->9         started        13 chthonic_2.23.18.8.exe 1 8 2->13         started        16 Autoit3N.exe 2->16         started        process3 dnsIp4 34 C:\Users\user\AppData\Local\...\6C4B6346.tmp, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\39547367.tmp, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\...\3877755A.tmp, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\354B5636.tmp, PE32 9->40 dropped 68 Antivirus detection for dropped file 9->68 70 Detected unpacking (changes PE section rights) 9->70 72 Detected unpacking (creates a PE file in dynamic memory) 9->72 76 3 other signatures 9->76 18 winver.exe 2 9->18         started        58 2.23.18.8 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 13->58 42 C:\Users\user\AppData\...\Autoit3N.exe, PE32 13->42 dropped 44 C:\Users\user\AppData\Local\...\56553834.tmp, PE32 13->44 dropped 46 C:\Users\user\AppData\Local\...\4E457675.tmp, PE32 13->46 dropped 48 2 other files (none is malicious) 13->48 dropped 74 Contains functionality to compare user and computer (likely to detect sandboxes) 13->74 file5 signatures6 process7 file8 32 C:\Users\user\AppData\Local\Temp496.tmp, PE32 18->32 dropped 21 cmd.exe 1 18->21         started        23 WerFault.exe 18->23         started        process9 process10 25 Autoit3N.exe 4 21->25         started        28 conhost.exe 21->28         started        file11 50 C:\Users\user\AppData\Local\...\664C3244.tmp, PE32 25->50 dropped 52 C:\Users\user\AppData\Local\...\58434A36.tmp, PE32 25->52 dropped 54 C:\Users\user\AppData\Local\...\39313733.tmp, PE32 25->54 dropped 56 C:\Users\user\AppData\Local\...\33303149.tmp, PE32 25->56 dropped 30 winver.exe 25->30         started        process12
Threat name:
Win32.Trojan.Emotet
Status:
Malicious
First seen:
2019-03-30 21:05:18 UTC
AV detection:
27 of 31 (87.10%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence ransomware bootkit
Behaviour
Suspicious use of UnmapMainImage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Loads dropped DLL
Modifies WinLogon to allow AutoLogon
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments