MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 057c4c59d55129c9c6877afc5f428c59f86645e244383ee777d7f62d067e286e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 057c4c59d55129c9c6877afc5f428c59f86645e244383ee777d7f62d067e286e
SHA3-384 hash: 937154264dfd766f46e76f4faf07e56686fa1cb49d9676da9dec203ca70adf2e475fcb3b1aaf714620e5b054b5e82dfc
SHA1 hash: 7f7bcf1168fecc64895685a0724245c428f3c835
MD5 hash: fd9d34fe0be6910bfb8f1a3ed3bb15a1
humanhash: arizona-avocado-nineteen-finch
File name:IG2LL89NU0M1DS4F7FNSZ64VH3EV
Download: download sample
File size:11'617'280 bytes
First seen:2020-11-04 10:30:43 UTC
Last seen:2020-11-04 13:02:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 90b1e4f00cdb5f771a950f333045292e
ssdeep 196608:DiFGcP3wBY2ZxhLfp4LqK6cSncF7W02r:DiZvwRTLf+rvIcFjO
Threatray 3 similar samples on MalwareBazaar
TLSH DCC6AE7F7194923DC01DC57EC0939F40A433F97A0B72C9FB629422A81F1A5C59E7EA29
Reporter JAMESWT_WT
Tags:Mekotio spy

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Malware.Gamemodding-6726308-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/520015
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309103 Sample: IG2LL89NU0M1DS4F7FNSZ64VH3EV Startdate: 04/11/2020 Architecture: WINDOWS Score: 92 51 Multi AV Scanner detection for submitted file 2->51 53 Obfuscated command line found 2->53 55 Very long command line found 2->55 57 2 other signatures 2->57 8 loaddll64.exe 1 2->8         started        process3 signatures4 59 Obfuscated command line found 8->59 61 Very long command line found 8->61 11 rundll32.exe 3 2 8->11         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 3 other processes 8->19 process5 dnsIp6 47 manaproducoes.com.br 187.45.195.61, 49728, 80 LocawebServicosdeInternetSABR Brazil 11->47 49 chamadaperdida2020.hopto.org 3.19.76.15, 49730, 8350 AMAZON-02US United States 11->49 63 System process connects to network (likely due to code injection or exploit) 11->63 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->65 67 Obfuscated command line found 11->67 69 Very long command line found 11->69 21 ipconfig.exe 1 11->21         started        23 ipconfig.exe 1 11->23         started        25 ipconfig.exe 1 11->25         started        31 12 other processes 11->31 71 Tries to detect debuggers by setting the trap flag for special instructions 15->71 73 Tries to detect debuggers (CloseHandle check) 15->73 75 Tries to detect virtualization through RDTSC time measurements 15->75 77 Hides threads from debuggers 17->77 27 WerFault.exe 20 9 17->27         started        29 WerFault.exe 9 19->29         started        signatures7 process8 process9 33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 31->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        45 7 other processes 31->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/057c4c59d55129c9c6877afc5f428c59f86645e244383ee777d7f62d067e286e/
Threat name:
Win64.Trojan.Mekotio
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 10:14:40 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305
92956d8d80a5032afc293e59db2523f649227980524b55cfaf0402545bc57050
f923c5ce0a44f73f86dbb04d02905e0e0068d675f6095680b41d904380800e17
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201104-s7lq58gmdx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
057c4c59d55129c9c6877afc5f428c59f86645e244383ee777d7f62d067e286e
MD5 hash:
fd9d34fe0be6910bfb8f1a3ed3bb15a1
SHA1 hash:
7f7bcf1168fecc64895685a0724245c428f3c835
Link:
https://www.unpac.me/results/7d695d24-6b4b-43d7-8611-56c783c70f12/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments