MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b11f073b3d938fec77b84fd0cac1ed861451a33f5e1030b1f63574ea491032b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chthonic


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b11f073b3d938fec77b84fd0cac1ed861451a33f5e1030b1f63574ea491032b3
SHA3-384 hash: 3235ad4539fb6820293eeded489e66b34e99940e43c8786812028114b633de3f522966075f6231d335d95317559dac5d
SHA1 hash: ed46844d9a51d083f8b149c4f252bad34bbc7b1e
MD5 hash: d991dc65d24d866e37a41006c15756aa
humanhash: hotel-december-black-maryland
File name:chthonic_2.23.15.2.vir
Download: download sample
Signature Chthonic
Create hunting rule
File size:385'536 bytes
First seen:2020-07-19 19:24:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e48c2f36b6c931f42efce70cc54c99f (1 x Chthonic)
ssdeep 6144:H+LcDYuBzOQFBgaRlZVWezsS7N124lWVMqgjA0ds8SErXvzbmH2:eLcYuBzpFBgGzR64xqgjpfXW
Threatray 33 similar samples on MalwareBazaar
TLSH 7A84BE047290A476E6D27235AF69CAB18B31EC361A25449323F41FAB3DFE6E34531736
Reporter tildedennis
Tags:Chthonic


Avatar
tildedennis
chthonic version 2.23.15.2

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ramnit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28160/
Detection(s):
SecuriteInfo.com.Generic_s.QEG.dropper.23297.23569.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390190
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247276 Sample: chthonic_2.23.15.2.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->93 95 Multi AV Scanner detection for domain / URL 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 13 other signatures 2->99 8 pejuripg.exe 1 2->8         started        11 chthonic_2.23.15.2.exe 1 2->11         started        15 WindowsMediaPlayerM.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 139 Antivirus detection for dropped file 8->139 141 Multi AV Scanner detection for dropped file 8->141 143 Contains functionality to identify kernel process list (PsInitialSystemProcess) 8->143 145 Contains functionality to modify Windows User Account Control (UAC) settings 8->145 19 yabayuvj.exe 4 8->19         started        91 2.23.15.2 AKAMAI-ASN1EU European Union 11->91 75 C:\Users\user\Desktop\W8FOr23, PE32 11->75 dropped 147 Detected unpacking (changes PE section rights) 11->147 149 Detected unpacking (overwrites its own PE header) 11->149 151 Writes to foreign memory regions 11->151 22 W8FOr23 8 3 11->22         started        25 msiexec.exe 1 2 11->25         started        77 C:\Users\user\AppData\Roaming\...\W8FOr23, PE32 15->77 dropped 28 W8FOr23 15->28         started        153 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->153 30 ggipwpke.exe 1 17->30         started        32 W8FOr23 17->32         started        34 msiexec.exe 17->34         started        file5 signatures6 process7 dnsIp8 101 Antivirus detection for dropped file 19->101 103 Multi AV Scanner detection for dropped file 19->103 105 Contains functionality to identify kernel process list (PsInitialSystemProcess) 19->105 119 5 other signatures 19->119 36 svchost.exe 9 19->36         started        41 sdbinst.exe 8 2 19->41         started        43 iscsicli.exe 1 19->43         started        49 5 other processes 19->49 67 C:\Users\user\AppData\Local\...\pejuripg.exe, PE32 22->67 dropped 107 Creates an undocumented autostart registry key 22->107 109 Changes security center settings (notifications, updates, antivirus, firewall) 22->109 111 Disables Windows Defender (deletes autostart) 22->111 121 3 other signatures 22->121 85 51.255.48.78, 53 OVHFR France 25->85 87 89.18.27.34, 53 MGA-RO-ASRO Romania 25->87 89 11 other IPs or domains 25->89 69 C:\Users\user\...\WindowsMediaPlayerM.exe, PE32 25->69 dropped 113 Creates multiple autostart registry keys 25->113 71 C:\Users\user\AppData\Local\...\yabayuvj.exe, PE32 28->71 dropped 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->115 45 yabayuvj.exe 28->45         started        73 C:\Users\user\AppData\Local\...\ggipwpke.exe, PE32 32->73 dropped 47 ggipwpke.exe 32->47         started        file9 117 Detected non-DNS traffic on DNS port 87->117 signatures10 process11 dnsIp12 79 wgwuhauaqcrx.com 72.26.218.70, 443, 49722, 49724 VOXEL-DOT-NETUS United States 36->79 81 doisafjsnbjesfbejfbkjsej88.com 208.100.26.245, 443, 49717, 49723 STEADFASTUS United States 36->81 83 9 other IPs or domains 36->83 63 C:\Users\user\AppData\...\pejuripg.exe, PE32 36->63 dropped 123 System process connects to network (likely due to code injection or exploit) 36->123 125 Contains functionality to identify kernel process list (PsInitialSystemProcess) 36->125 127 Contains functionality to detect sandboxes (registry SystemBiosVersion/Date) 36->127 137 2 other signatures 36->137 51 conhost.exe 41->51         started        53 conhost.exe 43->53         started        65 C:\Users\user\AppData\Local\...\ggipwpke.exe, PE32 45->65 dropped 129 Writes to foreign memory regions 45->129 131 Allocates memory in foreign processes 45->131 133 Creates a thread in another existing process (thread injection) 45->133 135 Injects a PE file into a foreign processes 45->135 55 svchost.exe 45->55         started        57 svchost.exe 45->57         started        59 sdbinst.exe 45->59         started        61 conhost.exe 49->61         started        file13 signatures14 process15
Detection:
ramnit
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b11f073b3d938fec77b84fd0cac1ed861451a33f5e1030b1f63574ea491032b3/
Threat name:
Win32.Virus.Ramnit
Create hunting rule
Status:
Malicious
First seen:
2017-07-20 01:03:00 UTC
AV detection:
31 of 31 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wepqooz5soh6y55yj7imvqpnqykfdiz7lyidbmpwgv2ousiqgkzq._file
Verdict:
malicious
Similar samples:
1466a3a68f3c7f673d4b8ba514bc078fadda4c009f342c077f1d6cb0710d9b72
Chthonic
2b54fb9596441cbdb7f2208b41a717adba83c5834a49c534f54d479131f750c1
Chthonic
43eb644d0682f9bc85745c538015ba9ad19b10116792b5e5aa5da33b6c3af797
Chthonic
4418f28281e9cb0979fceae5903c9e2ace9f8a07f4e72d7ee67bc0526d59b7cc
Chthonic
517e1659c9d9ee4de266b3ade2d06965b670d17082ae2c2c97b4c694bb29152a
Chthonic
68f66dd88b1a69a8ff2e63cca5e4554e1b147ccd2474d356b60a749c21412fd4
Chthonic
a6f6ee6214681cc7c2fcd82af2b0d8362600624e35a6d027b70787561b1f67d9
Chthonic
d0198b775182eab3ed405bd0d946006ec8616b61083e643200d1d34fe8cae2f3
Chthonic
ef3a1f525f383f8d5000a9f6fe4337f3c561ad41157d7cbb1bb2905aea18435c
Chthonic
f4901daf97516f9a9b54233dd81810398de07db40d47072f37d90b4225387fd2
Chthonic
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence evasion trojan
Link:
https://tria.ge/reports/200719-kxznq5ttqa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
Checks whether UAC is enabled
Adds Run key to start application
Drops startup file
Windows security modification
Loads dropped DLL
Executes dropped EXE
UAC bypass
Modifies WinLogon for persistence
Modifies security service
Modifies firewall policy service
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b11f073b3d938fec77b84fd0cac1ed861451a33f5e1030b1f63574ea491032b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/chthonic/
Cape
Cape
https://www.capesandbox.com/analysis/28160/

Comments