MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5360ecfb9f6acf73785533948430720c2bd3364df73b9e2405c12e9c1433af6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: b5360ecfb9f6acf73785533948430720c2bd3364df73b9e2405c12e9c1433af6
SHA3-384 hash: b3f422aff799802b59ec834453cffb14cb885249324498c707a3467c7fe30134d794122a42ee81fad2ecf79fe2b57593
SHA1 hash: a6874460fd44a3140afb6802f60de5df93cb038e
MD5 hash: 7b3584c15a1c394b2e77da5cf6888c8a
humanhash: green-white-three-oven
File name:chthonic_2.23.12.4.vir
Download: download sample
Signature Chthonic
File size:217'088 bytes
First seen:2020-07-19 17:19:20 UTC
Last seen:2020-07-19 19:14:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8d02c22703f67eb9b4ead957478342de
ssdeep 6144:Pot6uq+rCxtmGzA0OJnMMMMMMMMMMMMMMMcMMMMMMMMMMMMMMMMMMMMeV9lgMMMm:PdhDmGaBMMMMMMMMMMMMMMMcMMMMMMMw
TLSH 45248D51B2E0ECE3CC550C7145EAFA706D266FBC6218919236D93F4F3BB26E0911A376
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.12.4

Intelligence


File Origin
# of uploads :
2
# of downloads :
19
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Threat name:
Win32.Trojan.Upatre
Status:
Malicious
First seen:
2016-12-06 05:40:50 UTC
AV detection:
27 of 31 (87.10%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
System policy modification
Suspicious behavior: EnumeratesProcesses
System policy modification
Checks whether UAC is enabled
Checks whether UAC is enabled
Deletes itself
Disables taskbar notifications via registry modification
Adds policy Run key to start application
Blacklisted process makes network request
Adds policy Run key to start application
Disables taskbar notifications via registry modification
Blacklisted process makes network request
UAC bypass
Modifies Windows Defender Real-time Protection settings
UAC bypass
Modifies Windows Defender Real-time Protection settings
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments