MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8daeb2ea27da8da2101c9f0f766209cb67c967f20662e8f21cd659d8d5dc06f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: d8daeb2ea27da8da2101c9f0f766209cb67c967f20662e8f21cd659d8d5dc06f
SHA3-384 hash: 2bf4a52373dc847236fb98026962c76f01bd573edd867f939c33e93b321213279c1d446a28e3255e67bf8058999a31bd
SHA1 hash: 6b0cb0877a8ee3f08b2f10b9edc3525915d4130a
MD5 hash: 5fa7bc909e5b2c4a1c664d6ec560525e
humanhash: jig-don-shade-johnny
File name:chthonic_2.23.18.21.vir
Download: download sample
Signature Chthonic
File size:896'000 bytes
First seen:2020-07-19 19:49:30 UTC
Last seen:2020-07-19 20:46:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dec6c86bd3573cbdc8014d4bda188aea
ssdeep 12288:uCzTQwWfjpAKRuAe/T7SnT0wYYYcJRY3/FDnk+vZWKhhn9O2HubkQAJAMu:VzrWOJTGT0M/YkiRM2HtHOZ
TLSH 8215BF217161E032EF1610718E1696FED969AF33CF2D54D76BC8396C1A326C1AB3EE11
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.18.21

Intelligence


File Origin
# of uploads :
2
# of downloads :
33
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247656 Sample: chthonic_2.23.18.21.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 69 Multi AV Scanner detection for domain / URL 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Detected non-DNS traffic on DNS port 2->73 75 2 other signatures 2->75 9 Adobei.exe 6 2->9         started        13 chthonic_2.23.18.21.exe 1 10 2->13         started        16 Adobei.exe 2->16         started        process3 dnsIp4 44 C:\Users\user\AppData\Local\...\6934566A.tmp, PE32 9->44 dropped 46 C:\Users\user\AppData\Local\...\644A3377.tmp, PE32 9->46 dropped 48 C:\Users\user\AppData\Local\...\576F4E35.tmp, PE32 9->48 dropped 56 3 other files (none is malicious) 9->56 dropped 79 Detected unpacking (changes PE section rights) 9->79 81 Detected unpacking (overwrites its own PE header) 9->81 83 Machine Learning detection for dropped file 9->83 89 4 other signatures 9->89 18 winver.exe 2 9->18         started        67 2.23.18.21 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 13->67 50 C:\Users\user\AppData\Roaming\...\Adobei.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\Local\...\76724447.tmp, PE32 13->52 dropped 54 C:\Users\user\AppData\Local\...\72513962.tmp, PE32 13->54 dropped 58 4 other files (none is malicious) 13->58 dropped 85 Contains functionality to automate explorer (e.g. start an application) 13->85 87 Contains functionality to compare user and computer (likely to detect sandboxes) 13->87 file5 signatures6 process7 dnsIp8 60 188.165.200.156, 53 OVHFR France 18->60 63 163.53.248.170, 53 DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU Australia 18->63 65 4 other IPs or domains 18->65 34 C:\Users\user\AppData\Local\Temp\13B6.tmp, PE32 18->34 dropped 22 cmd.exe 1 18->22         started        file9 91 Detected non-DNS traffic on DNS port 63->91 signatures10 process11 process12 24 Adobei.exe 6 22->24         started        28 conhost.exe 22->28         started        file13 36 C:\Users\user\AppData\Local\...\57663031.tmp, PE32 24->36 dropped 38 C:\Users\user\AppData\Local\...\5057346B.tmp, PE32 24->38 dropped 40 C:\Users\user\AppData\Local\...\42317741.tmp, PE32 24->40 dropped 42 3 other files (none is malicious) 24->42 dropped 77 Writes to foreign memory regions 24->77 30 winver.exe 24->30         started        32 winver.exe 24->32         started        signatures14 process15
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2019-08-08 19:33:05 UTC
AV detection:
16 of 28 (57.14%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Suspicious use of AdjustPrivilegeToken
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments