MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c2bcbc90aad473e93b52051f11b1c1d8f3d9436b7d95b49e1ca4c7c835b0115. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c2bcbc90aad473e93b52051f11b1c1d8f3d9436b7d95b49e1ca4c7c835b0115
SHA3-384 hash: 8bdb1dfc3aca8e2a0f6cb19441e78a5cb7e1e834aedd87297faaa4c4ce8c123fcf7c46fe4d96c7b362bd38c1fc57e87a
SHA1 hash: ddd6386bcd0c59c1b5fd1fab95175a4d6188a3bf
MD5 hash: 6ba8f89d3e1f1e95e115f824cd469c06
humanhash: minnesota-romeo-juliet-sweet
File name:KQ9ANQ7ME18REPVHLNCMILN379K394QKLJE9ZZX
Download: download sample
File size:10'857'984 bytes
First seen:2020-08-28 11:31:36 UTC
Last seen:2020-08-28 12:50:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c297071a71241817eac45378fe745b2
ssdeep 196608:p0/85ogndaezN+LzFt1hiV5TLC41uegD0Lde8XSgcBqHaL8G41ag:Y8BnIzbK14gLdRcxYG4Mg
Threatray 924 similar samples on MalwareBazaar
TLSH D5B6333704E1BED6D271A3F1BD122446462AF8370E856631F03F4BA54A9365EEFF1A81
Reporter JAMESWT_WT
Tags:Mekotio spy

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Razy.725225.20573.15351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Launching a process
Changing a file
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/453459
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279099 Sample: KQ9ANQ7ME18REPVHLNCMILN379K... Startdate: 28/08/2020 Architecture: WINDOWS Score: 68 39 Multi AV Scanner detection for submitted file 2->39 41 PE file contains section with special chars 2->41 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->43 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 3 7->9         started        13 rundll32.exe 3 7->13         started        15 rundll32.exe 3 7->15         started        17 2 other processes 7->17 dnsIp5 37 192.168.2.1 unknown unknown 9->37 45 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->45 47 Hides threads from debuggers 9->47 49 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->49 19 WerFault.exe 3 9 9->19         started        21 WerFault.exe 18 9 9->21         started        23 WerFault.exe 9 13->23         started        25 WerFault.exe 9 13->25         started        27 WerFault.exe 9 15->27         started        29 WerFault.exe 15->29         started        31 WerFault.exe 17->31         started        33 WerFault.exe 17->33         started        35 2 other processes 17->35 signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c2bcbc90aad473e93b52051f11b1c1d8f3d9436b7d95b49e1ca4c7c835b0115/
Threat name:
Win64.Trojan.Mekotio
Create hunting rule
Status:
Malicious
First seen:
2020-08-28 11:33:09 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
276ff250495d6b475c84a26dce4faa535f976780fdfc69cc0dc831dba3451a5c
33ffacc3e517f4f1dad47f1ca28d26188e202d5e2e300e1e71bc0a57e682292a
389875d4c35ff8da276f122cb6b4ebd1b1d65ce5da5c05defefaf40c2609dbaf
433811102726bc15416ca338a2df55ec1daaf3f2565ee00d7f6484064746fb30
7a445143a652f58fa4abc4957269aea8f884f71e7f4654b56385491eb544b0a5
9b2ad325e0cda26d0cd3769bea307050581d5c38d40d1281ff7e6b56420369cd
9db79c06f6927e8e60151a16a65cea76e306f746ddba026a0b1d12a355f7f16e
a78df3ea7c9bcf96c6c9db033be7a66d9c418c1acfa3c8efc3c4ba313c5b4fad
d6ba040d10d1fb8e0f6a8b1d5378be566f6d3816bf1a00fb3e0bb6eed29346b2
+ 914 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200828-he1chgecex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks whether UAC is enabled
Checks BIOS information in registry
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Banker
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7c2bcbc90aad473e93b52051f11b1c1d8f3d9436b7d95b49e1ca4c7c835b0115

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments