MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bb49909ef6d4200d177dbaaa400ab01b185201c8e21b418c5bef53ce09e6cd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mekotio


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bb49909ef6d4200d177dbaaa400ab01b185201c8e21b418c5bef53ce09e6cd5
SHA3-384 hash: 0c20c6c9f135598c64566b131199020426e99ad44fb62c057f3e830faf9c615535e3f5e34f13cd9ccb2d53294155d4a8
SHA1 hash: dc2afbca51b7910bf8f71ecb267291711b6b1d05
MD5 hash: 6ebdf4f0587d266a618d2e83fe2e7cdb
humanhash: south-tango-asparagus-lake
File name:ID-FACT.1682059357.zip
Download: download sample
Signature Mekotio
Create hunting rule
File size:5'296'433 bytes
First seen:2023-04-21 06:43:47 UTC
Last seen:2023-04-21 06:43:57 UTC
File type: zip
MIME type:application/zip
ssdeep 98304:8VqV1DHJEXwX07AhuHH7RLN0AMSTXyF5NzoRvKbnFJwXaf9xpMKvRC7Mq:lVqghuHlLNMSA5xopKbnvf93MKRC7Mq
TLSH T1173633FC2F211CC6621539718D68CA4A322AF80DB0DA1FB7BCDA38A664E5D45ED1375C
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter JAMESWT_WT
Tags:ITA Mekotio spy zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
588
Origin country :
IT IT
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:FACT64423.msi
File size:5'884'928 bytes
SHA256 hash: 5013cf8a7cf2e0e230f8c7149d2c9eb99c681cda6d754f58e2409d6f3db98c56
MD5 hash: 9f0f32dda0a63ad985226cba751af5f1
MIME type:application/x-msi
Signature Mekotio
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs3283.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.W32.Trojan.VYZK-4288.30727.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
ZIP File
Link:
https://app.docguard.net/2bb49909ef6d4200d177dbaaa400ab01b185201c8e21b418c5bef53ce09e6cd5/results/dashboard
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
shell32.dll
Link:
https://www.filescan.io/uploads/644230b3626e97a950233070/reports/98da6088-690b-4494-aba7-62d6ae3cc350/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2bb49909ef6d4200d177dbaaa400ab01b185201c8e21b418c5bef53ce09e6cd5
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2bb49909ef6d4200d177dbaaa400ab01b185201c8e21b418c5bef53ce09e6cd5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bb49909ef6d4200d177dbaaa400ab01b185201c8e21b418c5bef53ce09e6cd5/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fo2jscppnvbabulx3ovkiaflagyykia4ryq3iggfx32tzye6ntkq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/230421-k4fn9sgg6v/
Behaviour
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Looks up external IP address via web service
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/2bb49909ef6d4200d177dbaaa400ab01b185201c8e21b418c5bef53ce09e6cd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments