MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b11f073b3d938fec77b84fd0cac1ed861451a33f5e1030b1f63574ea491032b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: b11f073b3d938fec77b84fd0cac1ed861451a33f5e1030b1f63574ea491032b3
SHA3-384 hash: 3235ad4539fb6820293eeded489e66b34e99940e43c8786812028114b633de3f522966075f6231d335d95317559dac5d
SHA1 hash: ed46844d9a51d083f8b149c4f252bad34bbc7b1e
MD5 hash: d991dc65d24d866e37a41006c15756aa
humanhash: hotel-december-black-maryland
File name:chthonic_2.23.15.2.vir
Download: download sample
Signature Chthonic
File size:385'536 bytes
First seen:2020-07-19 19:24:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e48c2f36b6c931f42efce70cc54c99f
ssdeep 6144:H+LcDYuBzOQFBgaRlZVWezsS7N124lWVMqgjA0ds8SErXvzbmH2:eLcYuBzpFBgGzR64xqgjpfXW
TLSH 7A84BE047290A476E6D27235AF69CAB18B31EC361A25449323F41FAB3DFE6E34531736
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.15.2

Intelligence


File Origin
# of uploads :
1
# of downloads :
18
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Ramnit
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247276 Sample: chthonic_2.23.15.2.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->93 95 Multi AV Scanner detection for domain / URL 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 13 other signatures 2->99 8 pejuripg.exe 1 2->8         started        11 chthonic_2.23.15.2.exe 1 2->11         started        15 WindowsMediaPlayerM.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 139 Antivirus detection for dropped file 8->139 141 Multi AV Scanner detection for dropped file 8->141 143 Contains functionality to identify kernel process list (PsInitialSystemProcess) 8->143 145 Contains functionality to modify Windows User Account Control (UAC) settings 8->145 19 yabayuvj.exe 4 8->19         started        91 2.23.15.2 AKAMAI-ASN1EU European Union 11->91 75 C:\Users\user\Desktop\W8FOr23, PE32 11->75 dropped 147 Detected unpacking (changes PE section rights) 11->147 149 Detected unpacking (overwrites its own PE header) 11->149 151 Writes to foreign memory regions 11->151 22 W8FOr23 8 3 11->22         started        25 msiexec.exe 1 2 11->25         started        77 C:\Users\user\AppData\Roaming\...\W8FOr23, PE32 15->77 dropped 28 W8FOr23 15->28         started        153 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->153 30 ggipwpke.exe 1 17->30         started        32 W8FOr23 17->32         started        34 msiexec.exe 17->34         started        file5 signatures6 process7 dnsIp8 101 Antivirus detection for dropped file 19->101 103 Multi AV Scanner detection for dropped file 19->103 105 Contains functionality to identify kernel process list (PsInitialSystemProcess) 19->105 119 5 other signatures 19->119 36 svchost.exe 9 19->36         started        41 sdbinst.exe 8 2 19->41         started        43 iscsicli.exe 1 19->43         started        49 5 other processes 19->49 67 C:\Users\user\AppData\Local\...\pejuripg.exe, PE32 22->67 dropped 107 Creates an undocumented autostart registry key 22->107 109 Changes security center settings (notifications, updates, antivirus, firewall) 22->109 111 Disables Windows Defender (deletes autostart) 22->111 121 3 other signatures 22->121 85 51.255.48.78, 53 OVHFR France 25->85 87 89.18.27.34, 53 MGA-RO-ASRO Romania 25->87 89 11 other IPs or domains 25->89 69 C:\Users\user\...\WindowsMediaPlayerM.exe, PE32 25->69 dropped 113 Creates multiple autostart registry keys 25->113 71 C:\Users\user\AppData\Local\...\yabayuvj.exe, PE32 28->71 dropped 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->115 45 yabayuvj.exe 28->45         started        73 C:\Users\user\AppData\Local\...\ggipwpke.exe, PE32 32->73 dropped 47 ggipwpke.exe 32->47         started        file9 117 Detected non-DNS traffic on DNS port 87->117 signatures10 process11 dnsIp12 79 wgwuhauaqcrx.com 72.26.218.70, 443, 49722, 49724 VOXEL-DOT-NETUS United States 36->79 81 doisafjsnbjesfbejfbkjsej88.com 208.100.26.245, 443, 49717, 49723 STEADFASTUS United States 36->81 83 9 other IPs or domains 36->83 63 C:\Users\user\AppData\...\pejuripg.exe, PE32 36->63 dropped 123 System process connects to network (likely due to code injection or exploit) 36->123 125 Contains functionality to identify kernel process list (PsInitialSystemProcess) 36->125 127 Contains functionality to detect sandboxes (registry SystemBiosVersion/Date) 36->127 137 2 other signatures 36->137 51 conhost.exe 41->51         started        53 conhost.exe 43->53         started        65 C:\Users\user\AppData\Local\...\ggipwpke.exe, PE32 45->65 dropped 129 Writes to foreign memory regions 45->129 131 Allocates memory in foreign processes 45->131 133 Creates a thread in another existing process (thread injection) 45->133 135 Injects a PE file into a foreign processes 45->135 55 svchost.exe 45->55         started        57 svchost.exe 45->57         started        59 sdbinst.exe 45->59         started        61 conhost.exe 49->61         started        file13 signatures14 process15
Threat name:
Win32.Virus.Ramnit
Status:
Malicious
First seen:
2017-07-20 01:03:00 UTC
AV detection:
31 of 31 (100.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence evasion trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
Checks whether UAC is enabled
Adds Run key to start application
Drops startup file
Windows security modification
Loads dropped DLL
Executes dropped EXE
UAC bypass
Modifies WinLogon for persistence
Modifies security service
Modifies firewall policy service
Windows security bypass
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments