MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a637d7360ef409b2d9f3038de841583a039287ee7f54d2f634d9cea6c0fd502f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chthonic


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a637d7360ef409b2d9f3038de841583a039287ee7f54d2f634d9cea6c0fd502f
SHA3-384 hash: d4c7764041682548d2dcfd1ce375ec3623796be0067324cab3e06337e68c4cf86a2ebc4a8dba1e0bdf91560629a5fb1a
SHA1 hash: 1433f4c575719b8a9269597a997e15ff2420caf5
MD5 hash: 878804a067f5d32ba006f57a6635e87e
humanhash: delaware-kansas-winter-sink
File name:chthonic_2.23.15.14.vir
Download: download sample
Signature Chthonic
Create hunting rule
File size:417'280 bytes
First seen:2020-07-19 19:36:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eba81f95f16ff761fb3b582e097beb9 (1 x Chthonic)
ssdeep 12288:kAYiWV9B0JJvAgq654fPKxbYqjzBhXm7wqZ5ssqO:kAYiWVL0DAgqTPK9YynZ2xq
Threatray 17 similar samples on MalwareBazaar
TLSH E394D0227A4184B6D2230633AD28F37759EDBA701F35925B77E8471DDF301C1BA29A63
Reporter tildedennis
Tags:Chthonic


Avatar
tildedennis
chthonic version 2.23.15.14

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28287/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390423
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247408 Sample: chthonic_2.23.15.14.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 85 Antivirus / Scanner detection for submitted sample 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 Machine Learning detection for sample 2->89 14 chthonic_2.23.15.14.exe 1 2->14         started        18 aGoogle.exe 2->18         started        20 aGoogle.exe 2->20         started        process3 dnsIp4 73 2.23.15.14 AKAMAI-ASN1EU European Union 14->73 121 Detected unpacking (changes PE section rights) 14->121 123 Detected unpacking (overwrites its own PE header) 14->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->125 22 chthonic_2.23.15.14.exe 14->22         started        127 Injects a PE file into a foreign processes 18->127 25 aGoogle.exe 18->25         started        27 aGoogle.exe 20->27         started        signatures5 process6 signatures7 105 Injects a PE file into a foreign processes 22->105 29 chthonic_2.23.15.14.exe 22->29         started        107 Writes to foreign memory regions 25->107 32 msiexec.exe 1 25->32         started        34 msiexec.exe 27->34         started        process8 signatures9 115 Writes to foreign memory regions 29->115 36 msiexec.exe 1 3 29->36         started        117 Allocates many large memory junks 32->117 40 cmd.exe 32->40         started        process10 file11 71 C:\Users\user\AppData\Roaming\...\aGoogle.exe, PE32 36->71 dropped 99 Creates multiple autostart registry keys 36->99 101 Allocates many large memory junks 36->101 103 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->103 42 cmd.exe 1 36->42         started        44 aGoogle.exe 40->44         started        47 conhost.exe 40->47         started        signatures12 process13 signatures14 49 aGoogle.exe 1 42->49         started        52 conhost.exe 42->52         started        113 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->113 54 aGoogle.exe 44->54         started        process15 signatures16 75 Antivirus detection for dropped file 49->75 77 Multi AV Scanner detection for dropped file 49->77 79 Detected unpacking (changes PE section rights) 49->79 83 3 other signatures 49->83 56 aGoogle.exe 49->56         started        81 Injects a PE file into a foreign processes 54->81 59 aGoogle.exe 54->59         started        process17 signatures18 109 Injects a PE file into a foreign processes 56->109 61 aGoogle.exe 56->61         started        111 Writes to foreign memory regions 59->111 64 msiexec.exe 59->64         started        process19 signatures20 119 Writes to foreign memory regions 61->119 66 msiexec.exe 73 1 61->66         started        process21 signatures22 91 Creates an undocumented autostart registry key 66->91 93 Hides the Windows control panel from the task bar 66->93 95 Disables Windows Defender (deletes autostart) 66->95 97 5 other signatures 66->97 69 cmd.exe 66->69         started        process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a637d7360ef409b2d9f3038de841583a039287ee7f54d2f634d9cea6c0fd502f/
Threat name:
Win32.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2018-02-09 01:18:59 UTC
AV detection:
26 of 30 (86.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
13dd79b77c2ed2ba77d509e2d3b4621e83f7105674353f7e30930e07b099bce5
Chthonic
248ecff90346c947fda3ab80b686cdb4a3ea72ce5641a17e72b3cd48262d0b69
Chthonic
35396cd9c37aef5c360393e391bbb2acb4956c948e2d061705728002edc068c1
Chthonic
3ba80718b5c68cf563db5bcda51606472b0b1e7bd52f9698383068cb935aad99
Chthonic
4bd12f48c0a5a1dd9a4c0dd17460f2941f3a1b2b11b95961b4092f07622eb5c3
Chthonic
4e14841c96a09f5850d1cf5fcb3526714c22d7174e3f75c8a309d8db36ecef93
Chthonic
96e3dab826ca6a894973bdb308ce141be90e043efb7d3c707d8e09b35453e699
Chthonic
bbeaa86003be4d14ff5643c47d20ca8a44e4d7e655bda8a93439fbe7dd4e9066
Chthonic
e0cea593cef95fc3438ec707ef6d293c3189c3a3144a389f790cccfaec770759
Chthonic
f937bbe27c6d52452a121bc9aa320c26ae7eada7cadc9dda0fafc2c6b1bd5818
Chthonic
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence evasion trojan ransomware bootkit
Link:
https://tria.ge/reports/200719-8qhp4r2y3n/
Behaviour
Modifies Internet Explorer settings
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
System policy modification
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies service
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Modifies service
Adds Run key to start application
Checks whether UAC is enabled
Checks for any installed AV software in registry
Checks for any installed AV software in registry
Checks whether UAC is enabled
Adds Run key to start application
Loads dropped DLL
Deletes itself
Disables taskbar notifications via registry modification
Executes dropped EXE
Disables taskbar notifications via registry modification
Modifies WinLogon to allow AutoLogon
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a637d7360ef409b2d9f3038de841583a039287ee7f54d2f634d9cea6c0fd502f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/chthonic/
Cape
Cape
https://www.capesandbox.com/analysis/28287/

Comments