MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bd76be4ebf2b1fa8a1580609fb475a10b669baa3d1744eaa58f3ec2df393dad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bd76be4ebf2b1fa8a1580609fb475a10b669baa3d1744eaa58f3ec2df393dad
SHA3-384 hash: 0c277fec89977f4be0f7073bae0172635d8955845a0d17bb0658cfb5d5034180304f90cafaaabc631b47dfb2117a5023
SHA1 hash: a5d04384ac4e32f5dce3127bc8f006a1d4dfe444
MD5 hash: 91e78827274aadb1ead4d484620ff27b
humanhash: idaho-magnesium-table-nuts
File name:MZUIHLHG8ENH1VSI6ANFGAMMQOY5
Download: download sample
File size:11'594'752 bytes
First seen:2020-11-13 06:29:08 UTC
Last seen:2024-07-24 15:28:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 90b1e4f00cdb5f771a950f333045292e
ssdeep 98304:mY5Z+vZ5GWygBf9SWMCCwftaZc1TQmYgHuQhy7tO23lxRjMl3ZGLPasqCi:m/LPHBlDbtaZcpnYgittvjGsasi
Threatray 3 similar samples on MalwareBazaar
TLSH BDC6AE7F7194923DC01DC57EC0638F40A533BD7A0B76C5EBA29412A81F2A5C58E7EB29
Reporter JAMESWT_WT
Tags:Mekotio spy

Intelligence

File Origin
# of uploads :
3
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Malware.Gamemodding-6726308-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/533514
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315861 Sample: MZUIHLHG8ENH1VSI6ANFGAMMQOY5 Startdate: 13/11/2020 Architecture: WINDOWS Score: 92 56 Multi AV Scanner detection for submitted file 2->56 58 Obfuscated command line found 2->58 60 Very long command line found 2->60 62 2 other signatures 2->62 8 loaddll64.exe 1 2->8         started        process3 signatures4 64 Obfuscated command line found 8->64 66 Very long command line found 8->66 11 rundll32.exe 3 2 8->11         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 3 other processes 8->19 process5 dnsIp6 48 workshoping.servegame.com 52.146.43.112, 49722, 6893 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->48 50 googlehosted.l.googleusercontent.com 216.58.208.129, 443, 49718 GOOGLEUS United States 11->50 52 doc-0o-64-docstext.googleusercontent.com 11->52 68 System process connects to network (likely due to code injection or exploit) 11->68 70 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->70 72 Tries to detect debuggers (CloseHandle check) 11->72 21 ipconfig.exe 1 11->21         started        23 ipconfig.exe 1 11->23         started        25 ipconfig.exe 1 11->25         started        32 8 other processes 11->32 74 Tries to detect debuggers by setting the trap flag for special instructions 15->74 76 Tries to detect virtualization through RDTSC time measurements 15->76 78 Hides threads from debuggers 15->78 27 WerFault.exe 20 9 17->27         started        30 WerFault.exe 9 19->30         started        signatures7 process8 dnsIp9 34 conhost.exe 21->34         started        36 conhost.exe 23->36         started        38 conhost.exe 25->38         started        54 192.168.2.1 unknown unknown 27->54 40 conhost.exe 32->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 4 other processes 32->46 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bd76be4ebf2b1fa8a1580609fb475a10b669baa3d1744eaa58f3ec2df393dad/
Threat name:
Win64.Trojan.Mekotio
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 06:29:52 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
057c4c59d55129c9c6877afc5f428c59f86645e244383ee777d7f62d067e286e
4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305
92956d8d80a5032afc293e59db2523f649227980524b55cfaf0402545bc57050
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201113-xbjb675cdj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
6bd76be4ebf2b1fa8a1580609fb475a10b669baa3d1744eaa58f3ec2df393dad
MD5 hash:
91e78827274aadb1ead4d484620ff27b
SHA1 hash:
a5d04384ac4e32f5dce3127bc8f006a1d4dfe444
Link:
https://www.unpac.me/results/7b4b089c-cfea-4c01-81c1-46f70bde0fca/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/104772/

Comments