MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d6163d57c9c99026b1203a475f0dac06b6a75a82a83d7c0c19442cb14ba35e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 9d6163d57c9c99026b1203a475f0dac06b6a75a82a83d7c0c19442cb14ba35e5
SHA3-384 hash: ecb6076502bd441acd7fea8af67af34544f9f1fe0768b2a62f9f457da3169ac1f1e3d72fb0a67b8b9f83652367bc2403
SHA1 hash: a4332ec867080ba63e3523cae84b093c0fcef902
MD5 hash: 54edda43ee2e20c39fea5e2dabb6c921
humanhash: delaware-failed-illinois-ohio
File name:chthonic_2.23.18.10.vir
Download: download sample
Signature Chthonic
File size:481'480 bytes
First seen:2020-07-19 17:14:14 UTC
Last seen:2020-07-19 19:13:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 656e92606f48bfe1a31511ddbe0377db
ssdeep 6144:vtwsLJLgOeWvR1wRvfWgYN+3y3YvPKJRcF1k73QXPRU4LkfmMkjKsRZAvX3PNAFA:1wsLHeWvRWf+AAfmVQv3VARoVArNT6t/
TLSH 46A4BEEA0183DBE1DDC06DB0C6598B9011F241701D479FC2E6BA292A15AF97633FA73D
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.18.10

Intelligence


File Origin
# of uploads :
2
# of downloads :
17
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247172 Sample: chthonic_2.23.18.10.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 99 Antivirus / Scanner detection for submitted sample 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 Detected non-DNS traffic on DNS port 2->103 105 2 other signatures 2->105 9 jdownloaderz.exe 6 2->9         started        13 chthonic_2.23.18.10.exe 1 10 2->13         started        16 jdownloaderz.exe 6 2->16         started        process3 dnsIp4 66 C:\Users\user\AppData\Local\...\784A346C.tmp, PE32 9->66 dropped 68 C:\Users\user\AppData\Local\...\6A355A62.tmp, PE32 9->68 dropped 78 4 other files (none is malicious) 9->78 dropped 109 Detected unpacking (changes PE section rights) 9->109 111 Detected unpacking (creates a PE file in dynamic memory) 9->111 113 Detected unpacking (overwrites its own PE header) 9->113 18 winver.exe 2 9->18         started        95 2.23.18.10 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 13->95 70 C:\Users\user\AppData\...\jdownloaderz.exe, PE32 13->70 dropped 72 C:\Users\user\AppData\Local\...\76564355.tmp, PE32 13->72 dropped 80 5 other files (none is malicious) 13->80 dropped 115 Contains functionality to automate explorer (e.g. start an application) 13->115 117 Contains functionality to compare user and computer (likely to detect sandboxes) 13->117 74 C:\Users\user\AppData\Local\...\79697575.tmp, PE32 16->74 dropped 76 C:\Users\user\AppData\Local\...\63677066.tmp, PE32 16->76 dropped 82 4 other files (none is malicious) 16->82 dropped 119 Writes to foreign memory regions 16->119 22 winver.exe 2 16->22         started        file5 signatures6 process7 dnsIp8 84 119.28.48.230, 53 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 18->84 87 5.135.183.146, 53, 57198 OVHFR France 18->87 93 2 other IPs or domains 18->93 62 C:\Users\user\AppData\Local\Temp\CB70.tmp, PE32 18->62 dropped 24 cmd.exe 1 18->24         started        26 WerFault.exe 18->26         started        89 62.113.203.99, 53 TTMDE Germany 22->89 91 52.174.55.168, 53 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->91 64 C:\Users\user\AppData\Local\Temp\399B.tmp, PE32 22->64 dropped 28 cmd.exe 1 22->28         started        30 WerFault.exe 22->30         started        file9 107 Detected non-DNS traffic on DNS port 91->107 signatures10 process11 process12 32 jdownloaderz.exe 6 24->32         started        36 conhost.exe 24->36         started        38 jdownloaderz.exe 6 28->38         started        40 conhost.exe 28->40         started        file13 46 C:\Users\user\AppData\Local\...\744C397A.tmp, PE32 32->46 dropped 48 C:\Users\user\AppData\Local\...\38743678.tmp, PE32 32->48 dropped 50 C:\Users\user\AppData\Local\...\386D5331.tmp, PE32 32->50 dropped 58 3 other files (none is malicious) 32->58 dropped 97 Writes to foreign memory regions 32->97 42 winver.exe 32->42         started        52 C:\Users\user\AppData\Local\...\67385468.tmp, PE32 38->52 dropped 54 C:\Users\user\AppData\Local\...\584A3139.tmp, PE32 38->54 dropped 56 C:\Users\user\AppData\Local\...\54324D36.tmp, PE32 38->56 dropped 60 3 other files (none is malicious) 38->60 dropped 44 winver.exe 38->44         started        signatures14 process15
Threat name:
Win32.Trojan.Emotet
Status:
Malicious
First seen:
2019-04-04 20:27:38 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence ransomware bootkit
Behaviour
Suspicious use of UnmapMainImage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Loads dropped DLL
Modifies WinLogon to allow AutoLogon
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments