MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a637d7360ef409b2d9f3038de841583a039287ee7f54d2f634d9cea6c0fd502f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: a637d7360ef409b2d9f3038de841583a039287ee7f54d2f634d9cea6c0fd502f
SHA3-384 hash: d4c7764041682548d2dcfd1ce375ec3623796be0067324cab3e06337e68c4cf86a2ebc4a8dba1e0bdf91560629a5fb1a
SHA1 hash: 1433f4c575719b8a9269597a997e15ff2420caf5
MD5 hash: 878804a067f5d32ba006f57a6635e87e
humanhash: delaware-kansas-winter-sink
File name:chthonic_2.23.15.14.vir
Download: download sample
Signature Chthonic
File size:417'280 bytes
First seen:2020-07-19 19:36:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eba81f95f16ff761fb3b582e097beb9
ssdeep 12288:kAYiWV9B0JJvAgq654fPKxbYqjzBhXm7wqZ5ssqO:kAYiWVL0DAgqTPK9YynZ2xq
TLSH E394D0227A4184B6D2230633AD28F37759EDBA701F35925B77E8471DDF301C1BA29A63
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.15.14

Intelligence


File Origin
# of uploads :
1
# of downloads :
21
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247408 Sample: chthonic_2.23.15.14.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 85 Antivirus / Scanner detection for submitted sample 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 Machine Learning detection for sample 2->89 14 chthonic_2.23.15.14.exe 1 2->14         started        18 aGoogle.exe 2->18         started        20 aGoogle.exe 2->20         started        process3 dnsIp4 73 2.23.15.14 AKAMAI-ASN1EU European Union 14->73 121 Detected unpacking (changes PE section rights) 14->121 123 Detected unpacking (overwrites its own PE header) 14->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->125 22 chthonic_2.23.15.14.exe 14->22         started        127 Injects a PE file into a foreign processes 18->127 25 aGoogle.exe 18->25         started        27 aGoogle.exe 20->27         started        signatures5 process6 signatures7 105 Injects a PE file into a foreign processes 22->105 29 chthonic_2.23.15.14.exe 22->29         started        107 Writes to foreign memory regions 25->107 32 msiexec.exe 1 25->32         started        34 msiexec.exe 27->34         started        process8 signatures9 115 Writes to foreign memory regions 29->115 36 msiexec.exe 1 3 29->36         started        117 Allocates many large memory junks 32->117 40 cmd.exe 32->40         started        process10 file11 71 C:\Users\user\AppData\Roaming\...\aGoogle.exe, PE32 36->71 dropped 99 Creates multiple autostart registry keys 36->99 101 Allocates many large memory junks 36->101 103 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->103 42 cmd.exe 1 36->42         started        44 aGoogle.exe 40->44         started        47 conhost.exe 40->47         started        signatures12 process13 signatures14 49 aGoogle.exe 1 42->49         started        52 conhost.exe 42->52         started        113 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->113 54 aGoogle.exe 44->54         started        process15 signatures16 75 Antivirus detection for dropped file 49->75 77 Multi AV Scanner detection for dropped file 49->77 79 Detected unpacking (changes PE section rights) 49->79 83 3 other signatures 49->83 56 aGoogle.exe 49->56         started        81 Injects a PE file into a foreign processes 54->81 59 aGoogle.exe 54->59         started        process17 signatures18 109 Injects a PE file into a foreign processes 56->109 61 aGoogle.exe 56->61         started        111 Writes to foreign memory regions 59->111 64 msiexec.exe 59->64         started        process19 signatures20 119 Writes to foreign memory regions 61->119 66 msiexec.exe 73 1 61->66         started        process21 signatures22 91 Creates an undocumented autostart registry key 66->91 93 Hides the Windows control panel from the task bar 66->93 95 Disables Windows Defender (deletes autostart) 66->95 97 5 other signatures 66->97 69 cmd.exe 66->69         started        process23
Threat name:
Win32.Trojan.Genkryptik
Status:
Malicious
First seen:
2018-02-09 01:18:59 UTC
AV detection:
26 of 30 (86.67%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence evasion trojan ransomware bootkit
Behaviour
Modifies Internet Explorer settings
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
System policy modification
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies service
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Modifies service
Adds Run key to start application
Checks whether UAC is enabled
Checks for any installed AV software in registry
Checks for any installed AV software in registry
Checks whether UAC is enabled
Adds Run key to start application
Loads dropped DLL
Deletes itself
Disables taskbar notifications via registry modification
Executes dropped EXE
Disables taskbar notifications via registry modification
Modifies WinLogon to allow AutoLogon
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments