MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305
SHA3-384 hash: 0db45b9a1f66572ea76355bccb5c9be8cdceee074b8cef862d6f9e303837478c918823c88317f4b8208a39daddfc80f5
SHA1 hash: 575a8eaffb2c17a4dd414554dbc2e4f6a7df0922
MD5 hash: 7c168f46b8b7f8376b4a5d63145f7244
humanhash: six-october-blue-winner
File name:XUGODWFG1Z5A3LBN9CC6VDPNC4XHXQD1
Download: download sample
File size:12'793'344 bytes
First seen:2020-10-05 09:24:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b342200edd36e14a843b46c009d44513
ssdeep 196608:qp5w3JDD/3CQR1HsTvbTiY2JTjre4DAqSZ104nief8E0naW:qp5wZDDyjz2JTHPDZSZ64nRP0h
Threatray 1 similar samples on MalwareBazaar
TLSH 5ED6BF7FB194A26EC25DCA3AC0E39F00E533B1751F32C5EB629406A52F275C49E7EA14
Reporter JAMESWT_WT
Tags:Mekotio spy

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68280/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/481190
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 293032 Sample: XUGODWFG1Z5A3LBN9CC6VDPNC4XHXQD1 Startdate: 05/10/2020 Architecture: WINDOWS Score: 92 48 es.sslhermanos.com 2->48 50 cdn.onenote.net 2->50 58 Multi AV Scanner detection for submitted file 2->58 60 Obfuscated command line found 2->60 62 Very long command line found 2->62 64 2 other signatures 2->64 9 loaddll64.exe 1 2->9         started        signatures3 process4 signatures5 66 Obfuscated command line found 9->66 68 Very long command line found 9->68 12 rundll32.exe 3 2 9->12         started        16 rundll32.exe 9->16         started        18 rundll32.exe 9->18         started        20 3 other processes 9->20 process6 dnsIp7 52 es.sslhermanos.com 160.20.147.196, 49729, 8350 COMBAHTONcombahtonGmbHDE Germany 12->52 54 www.perfectart.com.br 172.67.213.25, 49728, 80 CLOUDFLARENETUS United States 12->54 56 3 other IPs or domains 12->56 70 System process connects to network (likely due to code injection or exploit) 12->70 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->72 74 Tries to detect debuggers (CloseHandle check) 12->74 22 ipconfig.exe 12->22         started        24 ipconfig.exe 12->24         started        26 ipconfig.exe 12->26         started        32 10 other processes 12->32 76 Tries to detect debuggers by setting the trap flag for special instructions 16->76 78 Tries to detect virtualization through RDTSC time measurements 16->78 80 Hides threads from debuggers 16->80 28 WerFault.exe 20 9 18->28         started        30 WerFault.exe 20->30         started        signatures8 process9 process10 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 32->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 6 other processes 32->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305/
Threat name:
Win64.Trojan.Mekotio
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 09:22:01 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
fc1b36e39f87cff2c9076a7e8316af297255a92824338b19b69022b47a47daa6
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201005-j3h9xwjh9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305
MD5 hash:
7c168f46b8b7f8376b4a5d63145f7244
SHA1 hash:
575a8eaffb2c17a4dd414554dbc2e4f6a7df0922
Link:
https://www.unpac.me/results/6cd554af-6b30-475f-922c-51dd9031602b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mekotio
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68280/

Comments