MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b39a13030095984b1a1a5584c8aa7d974a40aa631ef5b27ab933cc5d40799deb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Chthonic


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b39a13030095984b1a1a5584c8aa7d974a40aa631ef5b27ab933cc5d40799deb
SHA3-384 hash: 6facd777879dd7bba1288215fa04230469d766292bbc0c24d296afb2acac9b31a50c17dc205c22c83437730221cdaf2e
SHA1 hash: 7872e57d9e89fb65f22f51d93a5ac3ca39fc30da
MD5 hash: 73613b116ebb614b2964038b3f937db0
humanhash: magazine-happy-timing-glucose
File name:chthonic_2.23.17.10.vir
Download: download sample
Signature Chthonic
Create hunting rule
File size:1'866'558 bytes
First seen:2020-07-19 19:41:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e4543b94f902fb1e062932841a7f90c (1 x Chthonic)
ssdeep 49152:VqV+Nd+2tLELLVqVzeKAXmDwWUESZiIrHsL:VqV+N/L081AWDwWUESZIL
Threatray 23 similar samples on MalwareBazaar
TLSH 768523323BC69076F97345B04965D271BD78B57602B1A8C7AFAA0A6C3F71AC0E725703
Reporter tildedennis
Tags:Chthonic


Avatar
tildedennis
chthonic version 2.23.17.10

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28315/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390479
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247446 Sample: chthonic_2.23.17.10.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 115 Multi AV Scanner detection for dropped file 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 Detected unpacking (changes PE section rights) 2->119 121 4 other signatures 2->121 10 chthonic_2.23.17.10.exe 3 7 2->10         started        15 LNew.com 2->15         started        17 pwmixer.exe 2->17         started        process3 dnsIp4 113 2.23.17.10 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 10->113 88 C:\ProgramData\MixerMood\logs.exe, PE32 10->88 dropped 90 C:\ProgramData\MixerMood\Mixer.exe, PE32 10->90 dropped 149 Potential malicious VBS script found (suspicious strings) 10->149 19 logs.exe 1 3 10->19         started        23 Mixer.exe 7 10->23         started        25 wscript.exe 10->25         started        92 C:\Users\user\AppData\Local\...\4947825.tmp, PE32 15->92 dropped 151 Detected unpacking (changes PE section rights) 15->151 153 Detected unpacking (creates a PE file in dynamic memory) 15->153 155 Detected unpacking (overwrites its own PE header) 15->155 157 Writes to foreign memory regions 15->157 28 msiexec.exe 15->28         started        159 Installs a global get message hook 17->159 file5 signatures6 process7 dnsIp8 64 C:\Users\user\AppData\Roaming\LNew\LNew.com, PE32 19->64 dropped 66 C:\Users\user\AppData\Local\...\4657332.tmp, PE32 19->66 dropped 125 Antivirus detection for dropped file 19->125 127 Multi AV Scanner detection for dropped file 19->127 129 Detected unpacking (changes PE section rights) 19->129 135 9 other signatures 19->135 30 msiexec.exe 77 4 19->30         started        68 C:\ProgramData\ActualSoftware\update.exe, PE32 23->68 dropped 34 wscript.exe 1 23->34         started        105 iplogger.org 88.99.66.31, 443, 49715 HETZNER-ASDE Germany 25->105 131 System process connects to network (likely due to code injection or exploit) 25->131 107 89.18.27.167, 53 MGA-RO-ASRO Romania 28->107 109 163.53.248.170, 53 DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU Australia 28->109 111 7 other IPs or domains 28->111 70 C:\Users\user\AppData\Local\Temp\A52D.tmp, PE32 28->70 dropped file9 133 Detected non-DNS traffic on DNS port 109->133 signatures10 process11 file12 94 C:\Users\user\AppData\...\XAutoit3.com, PE32 30->94 dropped 96 C:\Users\user\AppData\Local\Temp\8205.tmp, PE32 30->96 dropped 161 Creates an undocumented autostart registry key 30->161 163 Hides the Windows control panel from the task bar 30->163 165 Disables Windows Defender (deletes autostart) 30->165 167 6 other signatures 30->167 36 cmd.exe 30->36         started        38 cmd.exe 30->38         started        40 cmd.exe 1 34->40         started        signatures13 process14 process15 42 XAutoit3.com 36->42         started        46 conhost.exe 36->46         started        48 XAutoit3.com 38->48         started        50 conhost.exe 38->50         started        52 update.exe 51 124 40->52         started        54 conhost.exe 40->54         started        file16 76 C:\Users\user\AppData\Local\...\4642FBA.tmp, PE32 42->76 dropped 137 Detected unpacking (changes PE section rights) 42->137 139 Detected unpacking (creates a PE file in dynamic memory) 42->139 141 Detected unpacking (overwrites its own PE header) 42->141 56 msiexec.exe 42->56         started        78 C:\Users\user\AppData\Local\...\42441FC.tmp, PE32 48->78 dropped 143 Writes to foreign memory regions 48->143 145 Allocates many large memory junks 48->145 60 msiexec.exe 48->60         started        80 C:\Program Files (x86)\...\srvhelp.exe, PE32 52->80 dropped 82 C:\Program Files (x86)\...\pwmixer.exe, PE32 52->82 dropped 84 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 52->84 dropped 86 10 other files (none is malicious) 52->86 dropped 147 Creates multiple autostart registry keys 52->147 62 srvman.exe 52->62         started        signatures17 process18 dnsIp19 98 188.165.200.156, 53 OVHFR France 56->98 101 130.255.78.223, 53, 62563 BKVG-ASDE Germany 56->101 103 2 other IPs or domains 56->103 72 C:\Users\user\AppData\Local\Temp\45F2.tmp, PE32 56->72 dropped 74 C:\Users\user\AppData\Local\Temp\7FFD.tmp, PE32 60->74 dropped file20 123 Detected non-DNS traffic on DNS port 101->123 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b39a13030095984b1a1a5584c8aa7d974a40aa631ef5b27ab933cc5d40799deb/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2019-01-21 18:30:40 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
Chthonic
27dbff4b16fa15497def710d494b48ad90c3a498c354cee50fc0e35081dcfbb7
Chthonic
2d40a6c3d1200616055b55031daa8a6b010b3c99219f6b6da87bcd2b2f27d6c2
Chthonic
329e8814efa351d1c58c275981a39cf0a9ef0f50d8eb8db9bbb8f70020d75204
Chthonic
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
Chthonic
56af437f8b3b60b32b7cba77fa159138a777a48e98ce0215e8ec6f97ef12b223
Chthonic
73acff9ea3647f699cd645b09e652ca498eea7c5cee9f3cb573afda67a0ceeb2
Chthonic
cf1e8f2fc2dd05514be3e8f92abf5b266dfb1547cc611dabc0cc4eea5a1b7dfe
Chthonic
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
Chthonic
fae7f26d7b1d09486a585023081493b1315895d9ebf6dac3a56cdd4e32590424
Chthonic
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence discovery
Link:
https://tria.ge/reports/200719-rq4vcw3yy2/
Behaviour
Modifies system certificate store
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
Modifies registry class
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Drops file in Program Files directory
Drops file in Program Files directory
Modifies service
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
Disables taskbar notifications via registry modification
Executes dropped EXE
Blacklisted process makes network request
Modifies Windows Defender Real-time Protection settings
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b39a13030095984b1a1a5584c8aa7d974a40aa631ef5b27ab933cc5d40799deb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/chthonic/
Cape
Cape
https://www.capesandbox.com/analysis/28315/

Comments