MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7aed2f04618c60642965a3544d5927aa58b4092c1cce70c3a9ed55f161bb4a0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mekotio


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7aed2f04618c60642965a3544d5927aa58b4092c1cce70c3a9ed55f161bb4a0a
SHA3-384 hash: a1a6b3c300ef08601c8cb1a58093be659b8ad82b664874ceb71131533992b3e5345e47d5a3c802f2c291e66a990ec60f
SHA1 hash: 86b0b6e867b97f68b666fd2d93b42b8308d7426e
MD5 hash: 2187f88f99a58bbe6d8d76447ddec93e
humanhash: golf-carpet-oscar-lion
File name:Fact63bfc.msi
Download: download sample
Signature Mekotio
Create hunting rule
File size:6'902'784 bytes
First seen:2023-01-12 08:53:24 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:NYEtM2Af5tdoOS8mcA18WgQLKk9jEOy0pqQdA43Ak+jVktqMh8+pBwThNVCjHRrG:9M5tyr8mak9c0p243MlQwTLVCxZw
Threatray 1'020 similar samples on MalwareBazaar
TLSH T1F066232372978122D0EE85364E27BF9A30B1273447A354FFB6C51DCE25A65E06372E93
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter ventress
Tags:Mekotio msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352207/
Detection(s):
SecuriteInfo.com.W32.Trojan.VYZK-4288.30727.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mekotio shell32.dll
Link:
https://www.filescan.io/uploads/63bfcaac7620de0149a339ff/reports/02a0fc4f-8a0a-4126-aa9d-49a87caa879d/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/7aed2f04618c60642965a3544d5927aa58b4092c1cce70c3a9ed55f161bb4a0a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1150167
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782896 Sample: Fact63bfc.msi Startdate: 12/01/2023 Architecture: WINDOWS Score: 60 50 Snort IDS alert for network traffic 2->50 52 Antivirus detection for dropped file 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 3 other signatures 2->56 7 msiexec.exe 12 34 2->7         started        10 OUTLOOK.EXE 502 36 2->10         started        12 gla.0.exe 2->12         started        14 2 other processes 2->14 process3 file4 34 C:\Windows\Installer\MSI3563.tmp, PE32 7->34 dropped 36 C:\Windows\Installer\MSI32FF.tmp, PE32 7->36 dropped 38 C:\Windows\Installer\MSI3243.tmp, PE32 7->38 dropped 40 2 other malicious files 7->40 dropped 16 msiexec.exe 1 20 7->16         started        process5 dnsIp6 42 172.174.70.30, 49704, 7779 ATT-INTERNET4US United States 16->42 44 ipinfo.io 34.117.59.81, 443, 49703 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 16->44 26 C:\Users\user\...\s1hoie807111c21hoki9j3c4sss, PE32 16->26 dropped 28 C:\Users\user\AppData\...\gla.0.exe (copy), PE32 16->28 dropped 30 C:\Users\user\AppData\...\cativwlytz.tux, PE32 16->30 dropped 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->58 60 May check the online IP address of the machine 16->60 62 Overwrites code with function prologues 16->62 64 Hides threads from debuggers 16->64 21 gla.0.exe 3 16 16->21         started        file7 signatures8 process9 dnsIp10 46 luspe.ooguy.com 21->46 48 ipinfo.io 21->48 32 C:\Users\user\AppData\Local\...\66f23b89.dll, PE32 21->32 dropped 66 Query firmware table information (likely to detect VMs) 21->66 68 May check the online IP address of the machine 21->68 70 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->70 72 5 other signatures 21->72 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7aed2f04618c60642965a3544d5927aa58b4092c1cce70c3a9ed55f161bb4a0a/
Threat name:
Win32.Trojan.Mekotio
Create hunting rule
Status:
Malicious
First seen:
2023-01-10 23:03:30 UTC
File Type:
Binary (Archive)
Extracted files:
57
AV detection:
12 of 41 (29.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=plws6bdbrrqgiklfunke2wjhvjmlicjmdthhbq5j5vk7cyn3jifa._file
Verdict:
unknown
Similar samples:
348a583651121ae324dc81391d1645e001b52e7433c0d2cbc9ef04f32d116b69
Mekotio
3b25269ee1bf950e149d758ce4074f0ddca17282fb933bc44f9a77e6d495dc1b
Mekotio
635329a3e60baf7fc0d50d16b87c4ddc8f9300c710696dde863c3d90abb1b4a3
Mekotio
67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a
Mekotio
687ac0a86056ab61af2e1c34b053e7d58ab19b64bab5d13b81e2e3dcab878426
Mekotio
94a3555c14771a4b3a7078f878e7530e04dcc846570b30f29aeb67c6733065d6
Mekotio
980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0
Mekotio
a6bcd88a72bae764602195f8e224181ece313cc17c3f1bdc7f70f8276ab22701
Mekotio
b324bf2765637c425eea72826c3a1524873fc8b2dc7c06cf9f5b3312bde8861a
Mekotio
fdbf873a5b98ba84b1e2d4b32b161360e25fdab595514666933bbb51f2f89a02
Mekotio
+ 1'010 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/230112-ktwbzabd4w/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_win_path
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7aed2f04618c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
Link:
https://yomi.yoroi.company/submissions/7aed2f04618c60642965a3544d5927aa58b4092c1cce70c3a9ed55f161bb4a0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/352207/

Comments