MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 686e60d6079a08eaafcdca5ab248cbc18cae7c6871b989c3bcbcb9a02fd5fad9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 686e60d6079a08eaafcdca5ab248cbc18cae7c6871b989c3bcbcb9a02fd5fad9
SHA3-384 hash: 0ddc1c250511a9ebda013ebff7f55066365e9722b56b609f8ae0c45bd812337bc740786042243e9677909da32d9848d6
SHA1 hash: 2cd7139053861ec569341bcceccb7d157ccfc272
MD5 hash: c0d8d10b2098fa1da061f64ffe7af7ef
humanhash: south-alanine-purple-saturn
File name:WOHSFR01BZAC6VP3YOYSGIHL92J4B0XM50RJR34
Download: download sample
File size:11'547'648 bytes
First seen:2020-11-18 06:11:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 84ea8fcae1d50b541741ac7c39355d27
ssdeep 196608:aofeavFw5jkb71yisOuuEUunWDZfcmbGv5d:amxJHYWNKv5
Threatray 7 similar samples on MalwareBazaar
TLSH 09C6AE7F7194923DC01DC17EC0639B40E433BD7A0B72C5EB629522B81F2A5C59E7EA29
Reporter JAMESWT_WT
Tags:dll italy Mekotio Multa spy

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Malware.Gamemodding-6726308-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/540368
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 319285 Sample: WOHSFR01BZAC6VP3YOYSGIHL92J... Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Obfuscated command line found 2->57 59 3 other signatures 2->59 8 loaddll64.exe 1 2->8         started        process3 signatures4 61 Obfuscated command line found 8->61 63 Very long command line found 8->63 11 rundll32.exe 3 4 8->11         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 3 other processes 8->19 process5 dnsIp6 47 myd9hzd8cheab.winconnection.net 45.35.104.213, 49714, 49726, 8989 AS40676US United States 11->47 49 covidezenove.online 2.57.89.27, 49712, 80 AS-HOSTINGERLT Lithuania 11->49 51 3 other IPs or domains 11->51 65 System process connects to network (likely due to code injection or exploit) 11->65 67 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->67 69 Obfuscated command line found 11->69 71 Very long command line found 11->71 21 ipconfig.exe 1 11->21         started        23 ipconfig.exe 1 11->23         started        25 ipconfig.exe 1 11->25         started        31 11 other processes 11->31 73 Tries to detect debuggers by setting the trap flag for special instructions 15->73 75 Tries to detect debuggers (CloseHandle check) 15->75 77 Tries to detect virtualization through RDTSC time measurements 15->77 79 Hides threads from debuggers 17->79 27 WerFault.exe 20 9 17->27         started        29 WerFault.exe 9 19->29         started        signatures7 process8 process9 33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 31->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        45 6 other processes 31->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/686e60d6079a08eaafcdca5ab248cbc18cae7c6871b989c3bcbcb9a02fd5fad9/
Threat name:
Win64.Trojan.Mekotio
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 06:09:15 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
057c4c59d55129c9c6877afc5f428c59f86645e244383ee777d7f62d067e286e
4d45380cd5fdf967988c4f239f61827ad9a80a4d9abcfbddf6e656d9dcc50f58
4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305
6bd76be4ebf2b1fa8a1580609fb475a10b669baa3d1744eaa58f3ec2df393dad
92956d8d80a5032afc293e59db2523f649227980524b55cfaf0402545bc57050
bfd12725c557e1a9992dccff4257290adec43be6315f68471af0d26c9fa662ad
f923c5ce0a44f73f86dbb04d02905e0e0068d675f6095680b41d904380800e17
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201118-qrtc8bbfea/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments