MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c
SHA3-384 hash: e65121228762497ed1f7acae12062ae8034f44f1b01b6ac40060ee9b7d0f80e9770f9a997a5e0e9dfc20d8ac27807eeb
SHA1 hash: 3ed0f1c62db254e4094a13afb183ca0f69902a11
MD5 hash: f5d015422c420959c18e5a5c1e5f8de7
humanhash: bakerloo-red-edward-oven
File name:CG4KWEMBK1HMJOIJSFQJNCYZ8Z6OMUL72R6
Download: download sample
File size:8'717'824 bytes
First seen:2020-11-04 10:30:56 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 70209a1bf30a63f4b2785878e500abaf
ssdeep 98304:pn2sfWLmKuaDohO1HQ8VdMQPvnHUr2jQ4oBxY3IyJWtUHEwzP4X8qP1pU83vZtJ2:pndngvLoBi4kHEw748yppZt9yfL
Threatray 1 similar samples on MalwareBazaar
TLSH B696C023B24461BDD06B0E3A4437AB94E4FB777566028CA767F4198C4F36291EA3F643
Reporter JAMESWT_WT
Tags:Mekotio spy

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82828/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.44249251.10698.9145.UNOFFICIAL
Create hunting rule

PUA.Win.Malware.Gamemodding-6726308-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/520016
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Very long command line found
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c/
Threat name:
Win32.Trojan.Mekotio
Create hunting rule
Status:
Malicious
First seen:
2020-10-29 01:44:26 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/201104-wnwfrb38kn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
ServiceHost packer
Unpacked files
SH256 hash:
2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c
MD5 hash:
f5d015422c420959c18e5a5c1e5f8de7
SHA1 hash:
3ed0f1c62db254e4094a13afb183ca0f69902a11
Link:
https://www.unpac.me/results/1f96b552-da78-4b8f-a0a9-2caf87c90e97/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/82828/

Comments