MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b39a13030095984b1a1a5584c8aa7d974a40aa631ef5b27ab933cc5d40799deb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: b39a13030095984b1a1a5584c8aa7d974a40aa631ef5b27ab933cc5d40799deb
SHA3-384 hash: 6facd777879dd7bba1288215fa04230469d766292bbc0c24d296afb2acac9b31a50c17dc205c22c83437730221cdaf2e
SHA1 hash: 7872e57d9e89fb65f22f51d93a5ac3ca39fc30da
MD5 hash: 73613b116ebb614b2964038b3f937db0
humanhash: magazine-happy-timing-glucose
File name:chthonic_2.23.17.10.vir
Download: download sample
Signature Chthonic
File size:1'866'558 bytes
First seen:2020-07-19 19:41:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e4543b94f902fb1e062932841a7f90c
ssdeep 49152:VqV+Nd+2tLELLVqVzeKAXmDwWUESZiIrHsL:VqV+N/L081AWDwWUESZIL
TLSH 768523323BC69076F97345B04965D271BD78B57602B1A8C7AFAA0A6C3F71AC0E725703
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.17.10

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247446 Sample: chthonic_2.23.17.10.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 115 Multi AV Scanner detection for dropped file 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 Detected unpacking (changes PE section rights) 2->119 121 4 other signatures 2->121 10 chthonic_2.23.17.10.exe 3 7 2->10         started        15 LNew.com 2->15         started        17 pwmixer.exe 2->17         started        process3 dnsIp4 113 2.23.17.10 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 10->113 88 C:\ProgramData\MixerMood\logs.exe, PE32 10->88 dropped 90 C:\ProgramData\MixerMood\Mixer.exe, PE32 10->90 dropped 149 Potential malicious VBS script found (suspicious strings) 10->149 19 logs.exe 1 3 10->19         started        23 Mixer.exe 7 10->23         started        25 wscript.exe 10->25         started        92 C:\Users\user\AppData\Local\...\4947825.tmp, PE32 15->92 dropped 151 Detected unpacking (changes PE section rights) 15->151 153 Detected unpacking (creates a PE file in dynamic memory) 15->153 155 Detected unpacking (overwrites its own PE header) 15->155 157 Writes to foreign memory regions 15->157 28 msiexec.exe 15->28         started        159 Installs a global get message hook 17->159 file5 signatures6 process7 dnsIp8 64 C:\Users\user\AppData\Roaming\LNew\LNew.com, PE32 19->64 dropped 66 C:\Users\user\AppData\Local\...\4657332.tmp, PE32 19->66 dropped 125 Antivirus detection for dropped file 19->125 127 Multi AV Scanner detection for dropped file 19->127 129 Detected unpacking (changes PE section rights) 19->129 135 9 other signatures 19->135 30 msiexec.exe 77 4 19->30         started        68 C:\ProgramData\ActualSoftware\update.exe, PE32 23->68 dropped 34 wscript.exe 1 23->34         started        105 iplogger.org 88.99.66.31, 443, 49715 HETZNER-ASDE Germany 25->105 131 System process connects to network (likely due to code injection or exploit) 25->131 107 89.18.27.167, 53 MGA-RO-ASRO Romania 28->107 109 163.53.248.170, 53 DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU Australia 28->109 111 7 other IPs or domains 28->111 70 C:\Users\user\AppData\Local\Temp\A52D.tmp, PE32 28->70 dropped file9 133 Detected non-DNS traffic on DNS port 109->133 signatures10 process11 file12 94 C:\Users\user\AppData\...\XAutoit3.com, PE32 30->94 dropped 96 C:\Users\user\AppData\Local\Temp\8205.tmp, PE32 30->96 dropped 161 Creates an undocumented autostart registry key 30->161 163 Hides the Windows control panel from the task bar 30->163 165 Disables Windows Defender (deletes autostart) 30->165 167 6 other signatures 30->167 36 cmd.exe 30->36         started        38 cmd.exe 30->38         started        40 cmd.exe 1 34->40         started        signatures13 process14 process15 42 XAutoit3.com 36->42         started        46 conhost.exe 36->46         started        48 XAutoit3.com 38->48         started        50 conhost.exe 38->50         started        52 update.exe 51 124 40->52         started        54 conhost.exe 40->54         started        file16 76 C:\Users\user\AppData\Local\...\4642FBA.tmp, PE32 42->76 dropped 137 Detected unpacking (changes PE section rights) 42->137 139 Detected unpacking (creates a PE file in dynamic memory) 42->139 141 Detected unpacking (overwrites its own PE header) 42->141 56 msiexec.exe 42->56         started        78 C:\Users\user\AppData\Local\...\42441FC.tmp, PE32 48->78 dropped 143 Writes to foreign memory regions 48->143 145 Allocates many large memory junks 48->145 60 msiexec.exe 48->60         started        80 C:\Program Files (x86)\...\srvhelp.exe, PE32 52->80 dropped 82 C:\Program Files (x86)\...\pwmixer.exe, PE32 52->82 dropped 84 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 52->84 dropped 86 10 other files (none is malicious) 52->86 dropped 147 Creates multiple autostart registry keys 52->147 62 srvman.exe 52->62         started        signatures17 process18 dnsIp19 98 188.165.200.156, 53 OVHFR France 56->98 101 130.255.78.223, 53, 62563 BKVG-ASDE Germany 56->101 103 2 other IPs or domains 56->103 72 C:\Users\user\AppData\Local\Temp\45F2.tmp, PE32 56->72 dropped 74 C:\Users\user\AppData\Local\Temp\7FFD.tmp, PE32 60->74 dropped file20 123 Detected non-DNS traffic on DNS port 101->123 signatures21
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2019-01-21 18:30:40 UTC
AV detection:
27 of 31 (87.10%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence discovery
Behaviour
Modifies system certificate store
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
Modifies registry class
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Drops file in Program Files directory
Drops file in Program Files directory
Modifies service
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
Disables taskbar notifications via registry modification
Executes dropped EXE
Blacklisted process makes network request
Modifies Windows Defender Real-time Protection settings
UAC bypass
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments