MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 742a1d6f3569a67d95732295d491afc5025548240a7671ea4741936f0106f4bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 742a1d6f3569a67d95732295d491afc5025548240a7671ea4741936f0106f4bc
SHA3-384 hash: dcd441dbc6af0a8e54db06c0eaaed66e45d54bcd69d84f12fa926b3df5ba02f24e42fa17ddc347f5730888b63351009c
SHA1 hash: 1f53488f5638b61345fa65304f3090125d1866c6
MD5 hash: 1d4f512ea3240231b59dcd026d61b789
humanhash: papa-low-tennis-quebec
File name:chthonic_2.23.18.23.vir
Download: download sample
Signature Chthonic
File size:1'049'088 bytes
First seen:2020-07-19 19:51:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b10655583c9f4eae2f7468a07f75a7b
ssdeep 24576:KP77TaVTP9k5s8AjeMgtRl29Trgq7kFVfmOJow0wXctas6:W7TaNP9kA6MgtRY9TcZWOX0VG
TLSH 53258C00EEC18877D8B101755AFB8661B537AA663B26C6C7B38832353E503D16A761FF
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.18.23

Intelligence


File Origin
# of uploads :
1
# of downloads :
36
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247680 Sample: chthonic_2.23.18.23.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 96 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Detected non-DNS traffic on DNS port 2->62 64 Binary contains a suspicious time stamp 2->64 8 ReferenceAssembliesE.exe 7 6 2->8         started        12 chthonic_2.23.18.23.exe 9 10 2->12         started        15 WindowsMediaPlayerI.exe 7 2->15         started        17 2 other processes 2->17 process3 dnsIp4 34 C:\Users\user\AppData\Local\...\78693738.tmp, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\735A3958.tmp, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\5A32564A.tmp, PE32 8->38 dropped 46 3 other files (none is malicious) 8->46 dropped 70 Antivirus detection for dropped file 8->70 72 Detected unpacking (changes PE section rights) 8->72 74 Detected unpacking (overwrites its own PE header) 8->74 76 Writes to foreign memory regions 8->76 19 winver.exe 1 4 8->19         started        56 2.23.18.23 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 12->56 40 C:\Users\user\...\ReferenceAssembliesE.exe, PE32 12->40 dropped 42 C:\Users\user\AppData\Local\...\78303836.tmp, PE32 12->42 dropped 44 C:\Users\user\AppData\Local\...\5372744C.tmp, PE32 12->44 dropped 48 4 other files (none is malicious) 12->48 dropped 78 Creates multiple autostart registry keys 12->78 file5 signatures6 process7 dnsIp8 50 119.28.48.230, 53 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 19->50 52 82.196.9.45, 53, 57003 DIGITALOCEAN-ASNUS Netherlands 19->52 54 5 other IPs or domains 19->54 30 C:\Users\user\...\WindowsMediaPlayerI.exe, PE32 19->30 dropped 32 C:\Users\user\AppData\Local\TempE73.tmp, PE32 19->32 dropped 66 Creates multiple autostart registry keys 19->66 24 cmd.exe 1 19->24         started        file9 68 Detected non-DNS traffic on DNS port 52->68 signatures10 process11 process12 26 WindowsMediaPlayerI.exe 24->26         started        28 conhost.exe 24->28         started       
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2019-09-16 21:43:51 UTC
AV detection:
22 of 31 (70.97%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware bootkit persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Loads dropped DLL
Modifies WinLogon to allow AutoLogon
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments