MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4db9e6043c7ddc8a04114e731a22d16d4cba065931b2cebd4dc61570e5c45c4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chthonic


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4db9e6043c7ddc8a04114e731a22d16d4cba065931b2cebd4dc61570e5c45c4b
SHA3-384 hash: 24fd2f05941f64ee629116e960248580a0476baf09ab8ba72160e6c2a5c2087e77bf3d9cdfc8378038d6c5447b445df7
SHA1 hash: 9ef3857d88ea840504e9fe96f97e5e19dc782ef4
MD5 hash: e9fe4925d273ae94a34d8a13b9ceff52
humanhash: alabama-paris-happy-table
File name:chthonic_2.23.20.3.vir
Download: download sample
Signature Chthonic
Create hunting rule
File size:544'256 bytes
First seen:2020-07-19 19:40:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eebb8c2f1cb97c376234e8dda86c9cb3 (1 x Chthonic)
ssdeep 12288:x197jR8whCnE/6aHIN1t+QxwZflh0sVmSzVD1udnqOU3dcu/:L9XRBCnK6aHW1Zx+l5mSxcdncdcu/
Threatray 23 similar samples on MalwareBazaar
TLSH 3EC40110791BECA5FC029A389041E5AD5B0E502628DF7623B927DF7FDB3AC909717A07
Reporter tildedennis
Tags:Chthonic


Avatar
tildedennis
chthonic version 2.23.20.3

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28309/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.Trojan.MulDrop11.26395.30539.5342.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/390456
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247433 Sample: chthonic_2.23.20.3.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 96 72 Antivirus / Scanner detection for submitted sample 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Detected non-DNS traffic on DNS port 2->76 78 2 other signatures 2->78 9 windowsphotoviewero.exe 6 2->9         started        13 chthonic_2.23.20.3.exe 1 10 2->13         started        16 gWindowsPortableDevices.exe 6 2->16         started        18 2 other processes 2->18 process3 dnsIp4 38 C:\Users\user\AppData\Local\...\796B7438.tmp, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\6D317336.tmp, PE32 9->40 dropped 42 C:\Users\user\AppData\Local\...\64773864.tmp, PE32 9->42 dropped 50 3 other files (none is malicious) 9->50 dropped 84 Antivirus detection for dropped file 9->84 86 Machine Learning detection for dropped file 9->86 88 Writes to foreign memory regions 9->88 20 winver.exe 1 4 9->20         started        70 2.23.20.3 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 13->70 44 C:\Users\user\...\windowsphotoviewero.exe, PE32 13->44 dropped 46 C:\Users\user\AppData\Local\...\76663236.tmp, PE32 13->46 dropped 52 5 other files (none is malicious) 13->52 dropped 90 Contains functionality to automate explorer (e.g. start an application) 13->90 92 Creates multiple autostart registry keys 13->92 94 Contains functionality to compare user and computer (likely to detect sandboxes) 13->94 48 C:\Users\user\AppData\Local\...\76666F68.tmp, PE32 16->48 dropped 54 5 other files (none is malicious) 16->54 dropped file5 signatures6 process7 dnsIp8 64 62.113.203.99, 53 TTMDE Germany 20->64 66 188.165.200.156, 53 OVHFR France 20->66 68 4 other IPs or domains 20->68 34 C:\Users\user\...\gWindowsPortableDevices.exe, PE32 20->34 dropped 36 C:\Users\user\AppData\Local\Temp\FE3C.tmp, PE32 20->36 dropped 80 Creates multiple autostart registry keys 20->80 25 cmd.exe 1 20->25         started        file9 82 Detected non-DNS traffic on DNS port 66->82 signatures10 process11 process12 27 gWindowsPortableDevices.exe 6 25->27         started        30 conhost.exe 25->30         started        file13 56 C:\Users\user\AppData\Local\...\6D73356A.tmp, PE32 27->56 dropped 58 C:\Users\user\AppData\Local\...\4D425055.tmp, PE32 27->58 dropped 60 C:\Users\user\AppData\Local\...\4B64345A.tmp, PE32 27->60 dropped 62 3 other files (none is malicious) 27->62 dropped 32 WerFault.exe 28 10 27->32         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4db9e6043c7ddc8a04114e731a22d16d4cba065931b2cebd4dc61570e5c45c4b/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2019-10-31 05:14:59 UTC
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0f5a9f39314690159ba90e6e26e7d2810fcfc1e502d2336bf7cc7872b79b848f
Chthonic
113ec146b4714b28eeb8d375061503293c07a5b168f980649ca0afd58230bd36
Chthonic
39067a6a8ac06d60189b34afbb9acd73e8e33aba91653c39a037c2f78f972f29
Chthonic
46f77e69d710a9b85bbc8484b9d4149cce5d29d1e2fe102170c637f75c93e362
Chthonic
86df93f906086a656f1b5e26bfa134996206769968dca47442b1141e5e112816
Chthonic
b4e950994387c2d8dd5473be110004b50156454585ce6c72751d4e793b2bfd36
Chthonic
bdbfc7d1632cd7d8279b0fee3770abe6f54198d62c3781cfcf098f892c598b21
Chthonic
e0e75410c585dcaeab1ac774bf62f0ccc55ec32e009fdf75a8f089438e5b65e7
Chthonic
e4bdbc72938f14ea66de9620b653a03bcd0b4c6b3a3b6bd7335ef15872dfb7cd
Chthonic
e836f76c716c021e89d19ee4e4456e04b04b1041fe04fdaa6ac7523d35ef3b60
Chthonic
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware bootkit persistence
Link:
https://tria.ge/reports/200719-1y13h8wgyj/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Loads dropped DLL
UPX packed file
Modifies WinLogon to allow AutoLogon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4db9e6043c7ddc8a04114e731a22d16d4cba065931b2cebd4dc61570e5c45c4b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/chthonic/
Cape
Cape
https://www.capesandbox.com/analysis/28309/

Comments