MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4db9e6043c7ddc8a04114e731a22d16d4cba065931b2cebd4dc61570e5c45c4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 4db9e6043c7ddc8a04114e731a22d16d4cba065931b2cebd4dc61570e5c45c4b
SHA3-384 hash: 24fd2f05941f64ee629116e960248580a0476baf09ab8ba72160e6c2a5c2087e77bf3d9cdfc8378038d6c5447b445df7
SHA1 hash: 9ef3857d88ea840504e9fe96f97e5e19dc782ef4
MD5 hash: e9fe4925d273ae94a34d8a13b9ceff52
humanhash: alabama-paris-happy-table
File name:chthonic_2.23.20.3.vir
Download: download sample
Signature Chthonic
File size:544'256 bytes
First seen:2020-07-19 19:40:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eebb8c2f1cb97c376234e8dda86c9cb3
ssdeep 12288:x197jR8whCnE/6aHIN1t+QxwZflh0sVmSzVD1udnqOU3dcu/:L9XRBCnK6aHW1Zx+l5mSxcdncdcu/
TLSH 3EC40110791BECA5FC029A389041E5AD5B0E502628DF7623B927DF7FDB3AC909717A07
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.20.3

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247433 Sample: chthonic_2.23.20.3.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 96 72 Antivirus / Scanner detection for submitted sample 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Detected non-DNS traffic on DNS port 2->76 78 2 other signatures 2->78 9 windowsphotoviewero.exe 6 2->9         started        13 chthonic_2.23.20.3.exe 1 10 2->13         started        16 gWindowsPortableDevices.exe 6 2->16         started        18 2 other processes 2->18 process3 dnsIp4 38 C:\Users\user\AppData\Local\...\796B7438.tmp, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\6D317336.tmp, PE32 9->40 dropped 42 C:\Users\user\AppData\Local\...\64773864.tmp, PE32 9->42 dropped 50 3 other files (none is malicious) 9->50 dropped 84 Antivirus detection for dropped file 9->84 86 Machine Learning detection for dropped file 9->86 88 Writes to foreign memory regions 9->88 20 winver.exe 1 4 9->20         started        70 2.23.20.3 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 13->70 44 C:\Users\user\...\windowsphotoviewero.exe, PE32 13->44 dropped 46 C:\Users\user\AppData\Local\...\76663236.tmp, PE32 13->46 dropped 52 5 other files (none is malicious) 13->52 dropped 90 Contains functionality to automate explorer (e.g. start an application) 13->90 92 Creates multiple autostart registry keys 13->92 94 Contains functionality to compare user and computer (likely to detect sandboxes) 13->94 48 C:\Users\user\AppData\Local\...\76666F68.tmp, PE32 16->48 dropped 54 5 other files (none is malicious) 16->54 dropped file5 signatures6 process7 dnsIp8 64 62.113.203.99, 53 TTMDE Germany 20->64 66 188.165.200.156, 53 OVHFR France 20->66 68 4 other IPs or domains 20->68 34 C:\Users\user\...\gWindowsPortableDevices.exe, PE32 20->34 dropped 36 C:\Users\user\AppData\Local\Temp\FE3C.tmp, PE32 20->36 dropped 80 Creates multiple autostart registry keys 20->80 25 cmd.exe 1 20->25         started        file9 82 Detected non-DNS traffic on DNS port 66->82 signatures10 process11 process12 27 gWindowsPortableDevices.exe 6 25->27         started        30 conhost.exe 25->30         started        file13 56 C:\Users\user\AppData\Local\...\6D73356A.tmp, PE32 27->56 dropped 58 C:\Users\user\AppData\Local\...\4D425055.tmp, PE32 27->58 dropped 60 C:\Users\user\AppData\Local\...\4B64345A.tmp, PE32 27->60 dropped 62 3 other files (none is malicious) 27->62 dropped 32 WerFault.exe 28 10 27->32         started        process14
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2019-10-31 05:14:59 UTC
AV detection:
30 of 45 (66.67%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware bootkit persistence
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Loads dropped DLL
UPX packed file
Modifies WinLogon to allow AutoLogon
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments