MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4dfc047ed766b96a6de718ea96fefee921556caa4ce6171fbe407284cbba2f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: f4dfc047ed766b96a6de718ea96fefee921556caa4ce6171fbe407284cbba2f3
SHA3-384 hash: 0328bb278ade470016ca737ba6406a36c4d76243ad63f65c0c45463210319408c3e469d3425477f81c47b28b408074ac
SHA1 hash: 1ff3e9c230a345813b0848d911d80e2150b2df10
MD5 hash: 652ddd26bb95583bfceddba3f0813b9a
humanhash: skylark-equal-idaho-music
File name:chthonic_2.23.18.27.vir
Download: download sample
Signature Chthonic
File size:868'408 bytes
First seen:2020-07-19 19:43:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 143f01aac681514f0e86a3ddaa850bc9
ssdeep 12288:XQfO3NWjdwnz4KJdXUCf0EiA18AYjTTuj22zGaFI5a:XQ2gl1axe
TLSH 1405E4C2EE53022AE716047DFB9862C4F948AF061F7F4CA3718DFA1E45B3D810A9D665
Reporter @tildedennis
Tags:Chthonic


Twitter
@tildedennis
chthonic version 2.23.18.27

Intelligence


File Origin
# of uploads :
1
# of downloads :
28
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247494 Sample: chthonic_2.23.18.27.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Detected non-DNS traffic on DNS port 2->56 58 2 other signatures 2->58 6 TWindowsNt.exe 6 2->6         started        10 chthonic_2.23.18.27.exe 1 10 2->10         started        13 autoit3T.exe 2->13         started        15 TWindowsNt.exe 6 2->15         started        process3 dnsIp4 28 C:\Users\user\AppData\Local\...\7A4C7159.tmp, PE32 6->28 dropped 40 5 other files (none is malicious) 6->40 dropped 64 Antivirus detection for dropped file 6->64 66 Detected unpacking (changes PE section rights) 6->66 68 Detected unpacking (overwrites its own PE header) 6->68 17 winver.exe 1 4 6->17         started        50 2.23.18.27 SEABONE-NETTELECOMITALIASPARKLESpAIT European Union 10->50 30 C:\Users\user\AppData\...\TWindowsNt.exe, PE32 10->30 dropped 32 C:\Users\user\AppData\Local\...\6A433669.tmp, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\...\696D6932.tmp, PE32 10->34 dropped 42 4 other files (none is malicious) 10->42 dropped 70 Contains functionality to automate explorer (e.g. start an application) 10->70 72 Creates multiple autostart registry keys 10->72 74 Contains functionality to compare user and computer (likely to detect sandboxes) 10->74 76 Machine Learning detection for dropped file 13->76 36 C:\Users\user\AppData\Local\...\7A563049.tmp, PE32 15->36 dropped 38 C:\Users\user\AppData\Local\...\704A6361.tmp, PE32 15->38 dropped 44 4 other files (none is malicious) 15->44 dropped 78 Writes to foreign memory regions 15->78 22 winver.exe 15->22         started        file5 signatures6 process7 dnsIp8 46 108.61.161.119, 53 AS-CHOOPAUS United States 17->46 48 178.17.170.179, 53 TRABIAMD Moldova Republic of 17->48 24 C:\Users\user\AppData\...\autoit3T.exe, PE32 17->24 dropped 26 C:\Users\user\AppData\Local\Temp\F013.tmp, PE32 17->26 dropped 60 Creates multiple autostart registry keys 17->60 file9 62 Detected non-DNS traffic on DNS port 46->62 signatures10
Threat name:
Win32.Trojan.Wauchos
Status:
Malicious
First seen:
2019-10-20 00:49:00 UTC
AV detection:
22 of 31 (70.97%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence ransomware bootkit
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Loads dropped DLL
Modifies WinLogon to allow AutoLogon
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments