MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f6957a17b9bc161dc74ac1bb60a20e75b1ce9f734baef833fbe6996f159078c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mekotio


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f6957a17b9bc161dc74ac1bb60a20e75b1ce9f734baef833fbe6996f159078c
SHA3-384 hash: d17bdd7113f24d525f989299d3c769e71de6aae863ebdf25bafbb0142075c88820322b2644565073384aad441f744c20
SHA1 hash: 4bc9e0b66caa6f6ba5c3308e6a6f9cb887e1ff24
MD5 hash: 21bbf04c9967ae237b8dc3e432419aa5
humanhash: virginia-indigo-robin-high
File name:aqgkoizjhx.lbj
Download: download sample
Signature Mekotio
Create hunting rule
File size:10'532'352 bytes
First seen:2022-08-22 03:20:03 UTC
Last seen:2022-08-22 03:33:13 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash ab6f152b2a1663f522309d739518cc06 (2 x Mekotio)
ssdeep 196608:sIYL6ruLLgezRh4l+MlAr6dPtLCF9kpiE1hRvsqN/Nwc/V82t:Bxruw4klrar6dPlCrRE1hRvsqN/Nws
Threatray 13'807 similar samples on MalwareBazaar
TLSH T131B623BB15807EC7E63583B77C2784498C29F5768F05223AB0AF9AB6914644DCFF4B60
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
13.5% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
9.3% (.EXE) Win16/32 Executable Delphi generic (2072/23)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter 1ZRR4H
Tags:carriagetourbrussels-com dll Mekotio

Intelligence

File Origin
# of uploads :
2
# of downloads :
719
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300107/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.19432.28627.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6302f5eec9bbd990978643ec/reports/00ebb134-0626-4dcf-9a11-8dc067355204/overview
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/21a7a795-ea86-4186-b373-62bb063ba0d5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1055269
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 687782 Sample: aqgkoizjhx.lbj Startdate: 22/08/2022 Architecture: WINDOWS Score: 80 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Machine Learning detection for sample 2->40 42 PE file contains section with special chars 2->42 8 loaddll32.exe 1 2->8         started        process3 signatures4 44 Query firmware table information (likely to detect VMs) 8->44 46 Hides threads from debuggers 8->46 48 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->48 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 cmd.exe 1 8->16         started        18 5 other processes 8->18 process5 signatures6 54 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->54 56 Hides threads from debuggers 11->56 58 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->58 20 WerFault.exe 6 9 11->20         started        22 WerFault.exe 9 14->22         started        25 rundll32.exe 16->25         started        28 WerFault.exe 9 18->28         started        30 WerFault.exe 9 18->30         started        process7 dnsIp8 34 192.168.2.1 unknown unknown 22->34 50 Hides threads from debuggers 25->50 52 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->52 32 WerFault.exe 19 9 25->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f6957a17b9bc161dc74ac1bb60a20e75b1ce9f734baef833fbe6996f159078c/
Threat name:
Win32.Infostealer.Melcoz
Create hunting rule
Status:
Malicious
First seen:
2022-08-17 16:04:13 UTC
File Type:
PE (Dll)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5uvpil3tpawdxduvqn3mcra45nrz2pxgs5o7az7xzuzn4kza6ga._file
Verdict:
unknown
Similar samples:
18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679
Mekotio
1b3495921d935edffa5714e2549cee5ef27e0909dda640cf8d93b5a63424771a
Mekotio
24316b3ae1c1bafee76ca8bb33807d37130a58bc6aa19042f06c304af59af615
Mekotio
31fc16d69939d4b8b18df3d0781b38aedfb4520ad14befa70d64d4f72e27bee6
Mekotio
4162420c2a3575e1a4c1e56fd01b11f6411e62899cd5661bb02a7874b3f7bcd9
Mekotio
9b3f6fa723fd21f702c0155a60c731169f71f5ba310148ca3ba11c0abe707d33
Mekotio
af74b80210c8fd9f512427ff46e8ccbdf063a9eed4fa3ffe15f791880c5b8d1e
Mekotio
cc34ea5bc63427bf2fb40927df5bbcd1f0c3f850c8033c693cc6f8c483e31c29
Mekotio
f404a5d8e7a6622e073a2a596e728cb5be383baa2df71924d116db5ed2fa68ee
Mekotio
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
Mekotio
+ 13'797 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/220822-dvtq7schf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
b5eb72d2bbdd6e96654ca82dc7328efe4e3fab95c601cfb0e4c1c090d96647c0
MD5 hash:
06077032e630dfb28353bbdcf4874bf9
SHA1 hash:
b4e882689a62ace19b5457c3fb1f0b1e3b74d539
Link:
https://www.unpac.me/results/5c80ec3d-f712-46af-acc8-7132186d8e21/
SH256 hash:
2f6957a17b9bc161dc74ac1bb60a20e75b1ce9f734baef833fbe6996f159078c
MD5 hash:
21bbf04c9967ae237b8dc3e432419aa5
SHA1 hash:
4bc9e0b66caa6f6ba5c3308e6a6f9cb887e1ff24
Link:
https://www.unpac.me/results/5c80ec3d-f712-46af-acc8-7132186d8e21/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/2f6957a17b9bc161dc74ac1bb60a20e75b1ce9f734baef833fbe6996f159078c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/300107/

Comments