MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51c8e10c77c9f131b207be4bff0e37a09cf4f24b3b941416ae22bc438d1730c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 51c8e10c77c9f131b207be4bff0e37a09cf4f24b3b941416ae22bc438d1730c4
SHA3-384 hash: a165aadc4cf56c4347e9b64c2bb80522d129228f37ed8dd20dfe526d0a21218523b28db82056f334ee813658d690ccd8
SHA1 hash: ed6043735ef990b3b9fa5fd53df82b3e577fc02a
MD5 hash: a9cedbccefb07a18d56a360be2aeb4bb
humanhash: artist-chicken-london-butter
File name:chthonic_0.3.29.0.vir
Download: download sample
Signature ZeuS
File size:233'984 bytes
First seen:2020-07-19 17:27:53 UTC
Last seen:2020-07-19 19:18:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0029c9c4711edcf56cafa0148477e638
ssdeep 3072:821BFybIQGoU++AdVYWlNh+lzPYJXCMZ+zNf2fLHtx5JUDb7/ME9uUxk2UOFJaqg:821B3oXVkWczANx5LUwWDdrnK6yXpCA
TLSH 9934BF23B9859CB6C9A12175AA9A733662FFCE3414388C87D3D84C196C769C3773E247
Reporter @tildedennis
Tags:Chthonic ZeuS


Twitter
@tildedennis
chthonic version 0.3.29.0

Intelligence


File Origin
# of uploads :
2
# of downloads :
20
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
ZeusVM
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247131 Sample: chthonic_0.3.29.0.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Detected ZeusVM e-Banking Trojan 2->52 54 3 other signatures 2->54 7 chthonic_0.3.29.0.exe 2 2->7         started        12 agentMicrosoft.exe 2->12         started        14 agentMicrosoft.exe 2->14         started        process3 dnsIp4 38 0.3.29.0 unknown unknown 7->38 32 C:\Users\user\AppData\...\agentMicrosoft.exe, MS-DOS 7->32 dropped 34 C:\Users\user\AppData\...\tmp12f7377c.bat, DOS 7->34 dropped 56 Detected ZeusVM e-Banking Trojan 7->56 58 Drops batch files with force delete cmd (self deletion) 7->58 60 Tries to detect sandboxes / dynamic malware analysis system (registry check) 7->60 16 agentMicrosoft.exe 1 12 7->16         started        20 cmd.exe 1 7->20         started        62 Tries to detect sandboxes / dynamic malware analysis system (mutex check) 12->62 64 Tries to detect sandboxes / dynamic malware analysis system (tool check) 12->64 file5 signatures6 process7 dnsIp8 36 panama-moter.com 16->36 40 Antivirus detection for dropped file 16->40 42 Detected ZeusVM e-Banking Trojan 16->42 44 Machine Learning detection for dropped file 16->44 46 6 other signatures 16->46 22 GJNXmEvHShhYGQ.exe 16->22 injected 24 GJNXmEvHShhYGQ.exe 16->24 injected 26 GJNXmEvHShhYGQ.exe 16->26 injected 30 18 other processes 16->30 28 conhost.exe 20->28         started        signatures9 process10
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2013-10-18 21:05:00 UTC
AV detection:
26 of 29 (89.66%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Deletes itself
Identifies Wine through registry keys
Identifies Wine through registry keys
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments