MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aa0c65b1c37512536706d22a19af44e4ba91f8406bee0b1cdf691a050e8e7f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mekotio

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	0aa0c65b1c37512536706d22a19af44e4ba91f8406bee0b1cdf691a050e8e7f0
SHA3-384 hash:	f37c62090a49a82dd763946dd7f4e577e581de70eac7adea16626de97e9caf1dce22797de3b4849031ffd33db612260d
SHA1 hash:	a2c2fc03ba42b8eed7800423294ec46910bc9dca
MD5 hash:	ea5b0a11238124c6fc78dd72a7bb2401
humanhash:	item-mexico-mockingbird-orange
File name:	ea5b0a11_by_Libranalysis
Download:	download sample
Signature	Mekotio Create hunting rule
File size:	567'296 bytes
First seen:	2021-04-29 10:05:18 UTC
Last seen:	2021-04-29 15:15:45 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	12288:pSxfYeOMTeyaOfuYugPElcG2WV6ENLFO6PACX:pSJYeOMKDcPWVLzO6PAa
Threatray	12 similar samples on MalwareBazaar
TLSH	69C49E21B2D6C532D86E0274352AD79A9565BDE49FF280FB13C92E0F0E739C05635FA2
Reporter	Libranalysis
Tags:	Loader Mekotio msi Servizio fiscale spy

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/146555/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36814506.4019.23694.UNOFFICIAL

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/0aa0c65b1c37512536706d22a19af44e4ba91f8406bee0b1cdf691a050e8e7f0

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0aa0c65b1c37512536706d22a19af44e4ba91f8406bee0b1cdf691a050e8e7f0/

Threat name:

Win32.Downloader.SLoad

Status:

Malicious

First seen:

2021-04-29 10:06:20 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

8 of 29 (27.59%)

Threat level:

3/5

Verdict:

unknown

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/210429-ylbhjsxcv2/

Behaviour

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Script User-Agent

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Enumerates connected drives

Loads dropped DLL

Blocklisted process makes network request

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

sLoad

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0aa0c65b1c37512536706d22a19af44e4ba91f8406bee0b1cdf691a050e8e7f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/146555/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample