MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ad88b6a825af9e1eba56356bc13c02c4e49e3af64ff0eb2d09c7aeefe17e1ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mekotio


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ad88b6a825af9e1eba56356bc13c02c4e49e3af64ff0eb2d09c7aeefe17e1ed
SHA3-384 hash: 24d9894cb54f24fcffbf88ccf80cf4144e75e00efc90e52aa1e89792038759a9e2810805f1f9a7efa5841f895db08811
SHA1 hash: 97d45fe9391164cf6cee64c5a3c93632c491eb07
MD5 hash: 6d22f7d0d542224ba270aee85ed8b8d4
humanhash: princess-east-juliet-eleven
File name:SAT-20220411-89287719adm-Reporte_Estado_Planilla_PDF.msi
Download: download sample
Signature Mekotio
Create hunting rule
File size:6'910'464 bytes
First seen:2023-01-06 09:41:29 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:V60PcuP3qU02+cr7J2F9J7htUZnb1H6d/:VF13qo+W2rtenb56Z
Threatray 981 similar samples on MalwareBazaar
TLSH T1EC662323B1A64136D1FEC5750A3BBFD671B5262543A280FB72C85DCE34B24E0A372997
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:Mekotio msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349923/
Detection(s):
SecuriteInfo.com.W32.Trojan.VYZK-4288.30727.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
shell32.dll
Link:
https://www.filescan.io/uploads/63b7ecf1a70bef46551d50a3/reports/dd00eaed-7604-41c1-8c08-73ac169ebdef/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4ad88b6a825af9e1eba56356bc13c02c4e49e3af64ff0eb2d09c7aeefe17e1ed
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1146168
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778898 Sample: SAT-20220411-89287719adm-Re... Startdate: 06/01/2023 Architecture: WINDOWS Score: 60 50 Snort IDS alert for network traffic 2->50 52 Antivirus detection for dropped file 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 3 other signatures 2->56 7 msiexec.exe 12 34 2->7         started        10 OUTLOOK.EXE 502 36 2->10         started        12 lbY.T.exe 2->12         started        14 2 other processes 2->14 process3 file4 34 C:\Windows\Installer\MSI9E17.tmp, PE32 7->34 dropped 36 C:\Windows\Installer\MSI9B56.tmp, PE32 7->36 dropped 38 C:\Windows\Installer\MSI9A5B.tmp, PE32 7->38 dropped 40 2 other malicious files 7->40 dropped 16 msiexec.exe 1 19 7->16         started        process5 dnsIp6 42 107.158.94.13, 3020, 49697 SERVERHUB-NLDE United States 16->42 44 ipinfo.io 34.117.59.81, 443, 49696 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 16->44 26 C:\Users\user\AppData\...\tolsarycdy.bps, PE32 16->26 dropped 28 C:\Users\user\AppData\...\lbY.T.exe (copy), PE32 16->28 dropped 30 C:\Users\user\...\khb41p7lm09y5etuuj6zm7aisss, PE32 16->30 dropped 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->58 60 May check the online IP address of the machine 16->60 62 Overwrites code with function prologues 16->62 64 Hides threads from debuggers 16->64 21 lbY.T.exe 3 18 16->21         started        file7 signatures8 process9 dnsIp10 46 grupofuturama.eu 162.19.3.76 CENTURYLINK-US-LEGACY-QWESTUS United States 21->46 48 ipinfo.io 21->48 32 C:\Users\user\AppData\Local\...\7ae358a8.dll, PE32 21->32 dropped 66 Query firmware table information (likely to detect VMs) 21->66 68 May check the online IP address of the machine 21->68 70 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->70 72 5 other signatures 21->72 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ad88b6a825af9e1eba56356bc13c02c4e49e3af64ff0eb2d09c7aeefe17e1ed/
Threat name:
Win32.Trojan.SpywareX
Create hunting rule
Status:
Malicious
First seen:
2023-01-05 20:36:25 UTC
File Type:
Binary (Archive)
Extracted files:
57
AV detection:
9 of 39 (23.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlmiw2ucll46d25fmnllye6afrhety5pmt7q5mwqtr5o57qx4hwq._file
Verdict:
unknown
Similar samples:
0097e775b3ed33d109e970472d5f8fd5d76caa2d28e42419bc2c8154033649af
Mekotio
20691095f8e73e8f1910cd88542ff81adb40b23af4af133d7b9cfb2faa08692e
Mekotio
279ce901888969ce890380cbc2f88ec59529b2b722627015523fb1a054762592
Mekotio
3b25269ee1bf950e149d758ce4074f0ddca17282fb933bc44f9a77e6d495dc1b
Mekotio
3c4d586eac09b997f57af9b6679569bc9b321941754b008f45b801c196cab03c
Mekotio
635329a3e60baf7fc0d50d16b87c4ddc8f9300c710696dde863c3d90abb1b4a3
Mekotio
a6bcd88a72bae764602195f8e224181ece313cc17c3f1bdc7f70f8276ab22701
Mekotio
b324bf2765637c425eea72826c3a1524873fc8b2dc7c06cf9f5b3312bde8861a
Mekotio
cfa9c1d8b0ea8b947b89c01c9cbb87a70161a528337e5af00e855a70d350f22e
Mekotio
de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
Mekotio
+ 971 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/230106-lpcjqsbc6s/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_win_path
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ad88b6a825a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
Link:
https://yomi.yoroi.company/submissions/4ad88b6a825af9e1eba56356bc13c02c4e49e3af64ff0eb2d09c7aeefe17e1ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349923/

Comments