MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52d821d8e86473f0a69a044741e9f64b68a4f1677a298f292a560aae740f286c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 52d821d8e86473f0a69a044741e9f64b68a4f1677a298f292a560aae740f286c
SHA3-384 hash: 9d53684e17a168e7ae64f1ed839ca38c4d763c82f9490a9231941042c68f264aa8ae102aba71bcef62730a61c617d850
SHA1 hash: db21636a6e3784701cd41ffa60398a5f110cec10
MD5 hash: 77b42fb633369de146785c83270bb289
humanhash: london-jig-pip-uniform
File name:chthonic_2.0.5.0.vir
Download: download sample
Signature Chthonic
File size:90'112 bytes
First seen:2020-07-19 19:23:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af9f4024dfbb2a86a68b6359de337eb9
ssdeep 1536:g0PxAptLk6gBZWedT2kaHDAM8/MCcUs0mOn8wx:g0PqBg/3TojAzcdOnrx
TLSH 9093AF1221EC4033F52644744CA7DEE1BB2B3C969670A9CF2FD6113B5E76794CA2836E
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.0.5.0

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247258 Sample: chthonic_2.0.5.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 9 chthonic_2.0.5.0.exe 2->9         started        process3 dnsIp4 47 2.0.5.0 FranceTelecom-OrangeFR France 9->47 57 Detected unpacking (changes PE section rights) 9->57 59 Early bird code injection technique detected 9->59 61 Maps a DLL or memory area into another process 9->61 63 5 other signatures 9->63 13 msiexec.exe 5 9->13         started        16 msiexec.exe 9->16         started        signatures5 process6 signatures7 65 Creates an undocumented autostart registry key 13->65 67 Hides the Windows control panel from the task bar 13->67 69 Maps a DLL or memory area into another process 13->69 77 2 other signatures 13->77 18 svchost.exe 13->18 injected 20 svchost.exe 13->20 injected 23 winlogon.exe 13->23 injected 31 17 other processes 13->31 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->71 73 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->73 75 Tries to detect sandboxes / dynamic malware analysis system (mutex check) 16->75 25 svchost.exe 16->25 injected 27 svchost.exe 16->27 injected 29 svchost.exe 16->29 injected 33 9 other processes 16->33 process8 dnsIp9 35 MpCmdRun.exe 1 18->35         started        41 92.123.29.59, 443, 49706 AKAMAI-ASUS European Union 20->41 43 92.123.7.210, 49705, 80 AKAMAI-ASUS European Union 20->43 45 8.253.204.249, 49702, 49703, 49704 LEVEL3US United States 25->45 37 WMIADAP.exe 2 25->37         started        process10 process11 39 conhost.exe 35->39         started       
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2014-11-23 00:05:00 UTC
AV detection:
26 of 30 (86.67%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious behavior: MapViewOfSection
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Program Files directory
Checks whether UAC is enabled
Checks whether UAC is enabled
Identifies Wine through registry keys
Identifies Wine through registry keys
Disables taskbar notifications via registry modification
Adds policy Run key to start application
Blacklisted process makes network request
Blacklisted process makes network request
Adds policy Run key to start application
Disables taskbar notifications via registry modification
Modifies visiblity of hidden/system files in Explorer
UAC bypass
UAC bypass
Modifies visiblity of hidden/system files in Explorer
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments