MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6f9f9fa970bf7ec730e0944b1bb0ba8d17a3715de0730bc417aae149ae048dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: b6f9f9fa970bf7ec730e0944b1bb0ba8d17a3715de0730bc417aae149ae048dd
SHA3-384 hash: 78a86d848a797260ac7fce3e0e537addc54e3aa37d77b5d5241102a63b03c70f234625437af264076828cf334ec56ac8
SHA1 hash: 4fae40c361e7f2da23a7984e06320b89cbad654d
MD5 hash: 8296372373a0e63024143e6beee29a82
humanhash: snake-network-tennis-jupiter
File name:chthonic_2.23.15.12.vir
Download: download sample
Signature Chthonic
File size:437'248 bytes
First seen:2020-07-19 19:29:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ab88fe4fec99ffdd3cf754032bc091b1
ssdeep 6144:gROfug5XfJBbkmKr56uW6AOf0dBOIdFEkFcRjwx:gROGgtnKN6sGfOIdFZQwx
TLSH 3E946B12B7F68424F4B21A3089F557719A397DF19B3895AF63D07B2E0DB06819C31BA3
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.15.12

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247329 Sample: chthonic_2.23.15.12.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Detected non-DNS traffic on DNS port 2->49 51 Machine Learning detection for sample 2->51 9 chthonic_2.23.15.12.exe 2->9         started        13 _WindowsMail.exe 2->13         started        15 _WindowsMail.exe 2->15         started        process3 dnsIp4 43 2.23.15.12 AKAMAI-ASN1EU European Union 9->43 57 Detected unpacking (changes PE section rights) 9->57 59 Detected unpacking (overwrites its own PE header) 9->59 61 Writes to foreign memory regions 9->61 17 msiexec.exe 1 3 9->17         started        22 msiexec.exe 13->22         started        24 msiexec.exe 15->24         started        signatures5 process6 dnsIp7 37 62.113.203.55, 53 TTMDE Germany 17->37 39 193.183.98.154, 53 PDDA-ASIT Sweden 17->39 41 11 other IPs or domains 17->41 35 C:\Users\user\AppData\...\_WindowsMail.exe, PE32 17->35 dropped 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->53 26 cmd.exe 1 17->26         started        file8 55 Detected non-DNS traffic on DNS port 39->55 signatures9 process10 process11 28 _WindowsMail.exe 26->28         started        31 conhost.exe 26->31         started        signatures12 63 Antivirus detection for dropped file 28->63 65 Multi AV Scanner detection for dropped file 28->65 67 Detected unpacking (changes PE section rights) 28->67 69 3 other signatures 28->69 33 msiexec.exe 28->33         started        process13
Threat name:
Win32.Trojan.Foreign
Status:
Malicious
First seen:
2018-02-01 00:47:00 UTC
AV detection:
26 of 30 (86.67%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion trojan persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Checks whether UAC is enabled
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Blacklisted process makes network request
Executes dropped EXE
Blacklisted process makes network request
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments