MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 333daa7da050f7c0c38d56bf0b42e1b2702715cb87fa462457ce4d89b340d0fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mekotio


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 333daa7da050f7c0c38d56bf0b42e1b2702715cb87fa462457ce4d89b340d0fe
SHA3-384 hash: f2900b06526d45dd0583d8f8951db77a6a6d1c8afbd0c35af78d379834e48618da1ddb0b00b9a8d973127135c91be557
SHA1 hash: f1c5e236a2bc0a7a622076c5b5833c9250a27054
MD5 hash: 92058b84ad179d74ac6868406db10aad
humanhash: california-rugby-music-magnesium
File name:MTT0001450001.msi
Download: download sample
Signature Mekotio
Create hunting rule
File size:3'278'336 bytes
First seen:2022-05-11 00:23:17 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:8wiYYtw5cPhBQJ6KhgSpH7BRut7pIaHW4Y8T8gxorSFy8NitjVqoASA:+YYt7TQJtDujNChgVADtMCA
Threatray 2'729 similar samples on MalwareBazaar
TLSH T13AE56D22F288613EC0EB1AB6CC37D6159C3B7A716B12DC5757E4094C4F35982BA7AB07
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter 1ZRR4H
Tags:CL Mekotio msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269572/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe expand.exe remote.exe replace.exe update.exe
Link:
https://www.filescan.io/uploads/627b024a36c061db6e61cd94/reports/b6103901-db73-4d0f-9b0d-9720ecd94719/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/333daa7da050f7c0c38d56bf0b42e1b2702715cb87fa462457ce4d89b340d0fe
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/991427
Signature
Antivirus detection for dropped file
Hides threads from debuggers
May check the online IP address of the machine
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 623917 Sample: MTT0001450001.msi Startdate: 10/05/2022 Architecture: WINDOWS Score: 76 66 Antivirus detection for dropped file 2->66 68 PE file contains section with special chars 2->68 8 msiexec.exe 3 18 2->8         started        11 cmd.exe 2->11         started        13 cmd.exe 1 2->13         started        15 msiexec.exe 3 2->15         started        process3 file4 46 C:\Windows\Installer\MSIA11D.tmp, PE32 8->46 dropped 48 C:\Windows\Installer\MSI9DFF.tmp, PE32 8->48 dropped 50 C:\Windows\Installer\MSI9C96.tmp, PE32 8->50 dropped 52 2 other files (none is malicious) 8->52 dropped 17 msiexec.exe 1 18 8->17         started        21 wsiwu.exe 12 11->21         started        24 conhost.exe 11->24         started        26 wsiwu.exe 13->26         started        28 conhost.exe 13->28         started        process5 dnsIp6 54 www.anders-wirken.de 185.215.157.198, 443, 49744 MITTWALD-ASMittwaldCMServiceGmbHundCoKGDE Germany 17->54 40 C:\ProgramData\aPB5PXLbL\poqOGdGkyH.asx, PE32 17->40 dropped 42 c:\programdata\aPB5PXLbL\wsiwu.exe (copy), PE32 17->42 dropped 44 C:\ProgramData\aPB5PXLbL\gv75D3ujndM05S8Cr, PE32 17->44 dropped 30 cmd.exe 1 17->30         started        32 WerFault.exe 23 9 17->32         started        56 ipinfo.io 21->56 58 espatron2022.est-le-patron.com 21->58 78 Query firmware table information (likely to detect VMs) 21->78 80 Hides threads from debuggers 21->80 82 Sample or dropped binary is a compiled AutoHotkey binary 21->82 84 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->84 file7 signatures8 process9 process10 34 wsiwu.exe 3 14 30->34         started        38 conhost.exe 30->38         started        dnsIp11 60 ipinfo.io 34.117.59.81, 49746, 49753, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 34->60 62 thangloitaynguyen.com 172.67.140.139, 443, 49750 CLOUDFLARENETUS United States 34->62 64 espatron2022.est-le-patron.com 15.222.13.200, 49749, 49759, 80 AMAZON-02US United States 34->64 70 Query firmware table information (likely to detect VMs) 34->70 72 May check the online IP address of the machine 34->72 74 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 34->74 76 3 other signatures 34->76 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/333daa7da050f7c0c38d56bf0b42e1b2702715cb87fa462457ce4d89b340d0fe/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gm62u7nakd34bq4nk27qwqxbwjycofolq75emjcxzzgytm2a2d7a._file
Verdict:
malicious
Similar samples:
1244ebb105dfcbfc32b5349f576e2e08f75437a6510d7db886e60815b7720816
Mekotio
56e791cc8e07df049102c8d489a27c08ce231b90ac97eb97c741ddeb236fec24
Mekotio
6cb693b434ef3c9155fd802d07ef6e3d77fb2ca90435d89fa945ddf525170a0a
Mekotio
94a3555c14771a4b3a7078f878e7530e04dcc846570b30f29aeb67c6733065d6
Mekotio
b38256f6d2f6f4437714a7eb5f6c97750303f0a94efdfbcbd939e33bfdea48c5
Mekotio
ba7753740ad8417eefd87b7ca66888ac93184752769db47b467d47687a132597
Mekotio
d95edec180d7c2ea69585c2e2fe6f7d30421fe0974b38afdc88a4ba756514cd6
Mekotio
fdbf873a5b98ba84b1e2d4b32b161360e25fdab595514666933bbb51f2f89a02
Mekotio
+ 2'719 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/220511-ap29lseahr/
Behaviour
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates connected drives
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/333daa7da050/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/333daa7da050f7c0c38d56bf0b42e1b2702715cb87fa462457ce4d89b340d0fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Excel_Hidden_Macro_Sheet
Create hunting rule
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269572/

Comments