MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d4746373e81656ca55f49d1b2c93f5d9358bf3c6a31e1a9ae606f26ba273dca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 9d4746373e81656ca55f49d1b2c93f5d9358bf3c6a31e1a9ae606f26ba273dca
SHA3-384 hash: fb8cf84dbe72cb1b8297ccdf845c373e853efb51d206d51e66ef46bf3ecfe0861354a6137781447f67da6df2fdc2ab8e
SHA1 hash: 7e20eaacec6eaf3ca5d6a2a526ff47b9cd0faf21
MD5 hash: 2b2566bbf2212acb156eea90c6dfe7d1
humanhash: butter-lithium-hawaii-victor
File name:chthonic_2.23.15.11.vir
Download: download sample
Signature Chthonic
File size:331'776 bytes
First seen:2020-07-19 19:27:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 702c1aa79b24e8319caa67058f8ff291
ssdeep 6144:gg8NCfnTDggzCbL3ljivxeIQ5LZb1H3rD28ceKUBIpP2:JpT5sLVGQLvbo5MUe
TLSH 3464F22778C2D0B2D89B84B080DACB56BFBB3D235B36421BFFD51E8A59702C55B36464
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.15.11

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247310 Sample: chthonic_2.23.15.11.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Detected non-DNS traffic on DNS port 2->49 9 chthonic_2.23.15.11.exe 2->9         started        13 cmozillafirefox.exe 2->13         started        15 cmozillafirefox.exe 2->15         started        process3 dnsIp4 43 2.23.15.11 AKAMAI-ASN1EU European Union 9->43 55 Detected unpacking (changes PE section rights) 9->55 57 Detected unpacking (overwrites its own PE header) 9->57 59 Writes to foreign memory regions 9->59 17 msiexec.exe 1 3 9->17         started        22 msiexec.exe 13->22         started        24 msiexec.exe 15->24         started        signatures5 process6 dnsIp7 37 62.113.203.55, 53 TTMDE Germany 17->37 39 62.113.203.99, 53 TTMDE Germany 17->39 41 10 other IPs or domains 17->41 35 C:\Users\user\AppData\...\cmozillafirefox.exe, PE32 17->35 dropped 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->51 26 cmd.exe 1 17->26         started        file8 53 Detected non-DNS traffic on DNS port 39->53 signatures9 process10 process11 28 cmozillafirefox.exe 26->28         started        31 conhost.exe 26->31         started        signatures12 61 Antivirus detection for dropped file 28->61 63 Multi AV Scanner detection for dropped file 28->63 65 Detected unpacking (changes PE section rights) 28->65 67 2 other signatures 28->67 33 msiexec.exe 28->33         started        process13
Threat name:
Win32.Trojan.Yakes
Status:
Malicious
First seen:
2018-01-28 18:36:00 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence evasion trojan
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Checks whether UAC is enabled
Adds Run key to start application
Executes dropped EXE
Blacklisted process makes network request
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments