MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mekotio

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a
SHA3-384 hash:	6ac4eb1200161d453ea2dce9481f46bf6bb5a082385628e52186dd834fbb5d4f93bb53a6503adab977f3b442f0384398
SHA1 hash:	a0589b1f99ce22c25384a97cfaa6ee73a5047b30
MD5 hash:	111b9f1bf78e198656c822fe9cdaa4cf
humanhash:	fruit-august-cup-zebra
File name:	67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a
Download:	download sample
Signature	Mekotio Create hunting rule
File size:	2'575'872 bytes
First seen:	2022-06-20 07:47:54 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	49152:QkQNitjVqoAbAUKtulJl7VFv1lxKOC8fE/co0Oj+qHfV5xJd9zlYdxDOjSETeVf2:ttMLAptulbxKO1fTCWOjSEPYKHqJY7
Threatray	972 similar samples on MalwareBazaar
TLSH	T1A8C5AE26759AC636FA7E8270652DCB7A60B97FF00BB244EB63C4592E0D744C10272F67
TrID	80.0% (.MSI) Microsoft Windows Installer (454500/1/170) 10.7% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.8% (.MSP) Windows Installer Patch (44509/10/5) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter	JAMESWT_WT
Tags:	Mekotio msi

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/281456/

Detection(s):

SecuriteInfo.com.AutoIT_Compiled.11820.19429.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

75%

Tags:

anti-vm evasive fingerprint shell32.dll

Link:

https://www.filescan.io/uploads/62b0264008903778452924bd/reports/38914495-3672-445d-85fc-3c34c95f2e8f/overview

Result

Verdict:

SUSPICIOUS

Link:

https://labs.inquest.net/dfi/sha256/67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1016125

Signature

May check the online IP address of the machine

Sample or dropped binary is a compiled AutoHotkey binary

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a/

Threat name:

Win32.Downloader.BanLoad

Status:

Malicious

First seen:

2022-06-20 07:48:44 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

3 of 41 (7.32%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m7muv27kc47yyw5ux3kc6uejpzhlsf7khyma2d5avk4bdsjs3r5a._file

Verdict:

unknown

Mekotio

348a583651121ae324dc81391d1645e001b52e7433c0d2cbc9ef04f32d116b69

Mekotio

6cb693b434ef3c9155fd802d07ef6e3d77fb2ca90435d89fa945ddf525170a0a

Mekotio

94a3555c14771a4b3a7078f878e7530e04dcc846570b30f29aeb67c6733065d6

Mekotio

980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0

Mekotio

ba7753740ad8417eefd87b7ca66888ac93184752769db47b467d47687a132597

Mekotio

d95edec180d7c2ea69585c2e2fe6f7d30421fe0974b38afdc88a4ba756514cd6

Mekotio

fa91996407e821400f962f248c576cacc2163f61fa12b1f21d4ad6fede3a010e

Mekotio

fdbf873a5b98ba84b1e2d4b32b161360e25fdab595514666933bbb51f2f89a02

Mekotio

+ 962 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220620-jm45vsahej/

Behaviour

Checks SCSI registry key(s)

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Enumerates connected drives

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/67d94aebea17/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.25

Link:

https://yomi.yoroi.company/submissions/67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/281456/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample