MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mekotio


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0
SHA3-384 hash: aac70557bd94b1f41f96bcc08ebf2f76d8c5c05f0bb1bf1def1972cf1231d36e8774f18d2a7bd284caacd951d411fd95
SHA1 hash: 9adb160eefa4d5ed09726fc176b0080c0e3f42b4
MD5 hash: ec7cfc6eec0ecab8bc1c3976ef74e437
humanhash: nitrogen-cola-florida-yankee
File name:66bfc5.msi
Download: download sample
Signature Mekotio
Create hunting rule
File size:3'406'848 bytes
First seen:2022-06-16 07:57:39 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:ZtMKAptulbxKO1fTCcOjSEPYsDu5+tK3Hyf:ZLxfTCcK7Du5w+HU
TLSH T117F5CF26759AC636FA7E8270652DCB7A60B97FF00BB244EB63C4592E0D744C10272F67
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter StopMalvertisin
Tags:Mekotio msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280610/
Detection(s):
SecuriteInfo.com.AutoIT_Compiled.11820.19429.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint shell32.dll
Link:
https://www.filescan.io/uploads/62aae28eb42c4b10d84038e0/reports/60df718f-8999-48c4-9ad4-334bcd6d5042/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998440
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 630936 Sample: Factura0522.msi Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic 2->76 78 Antivirus detection for URL or domain 2->78 80 Antivirus detection for dropped file 2->80 82 2 other signatures 2->82 8 msiexec.exe 19 45 2->8         started        11 njsrr.exe 12 2->11         started        15 njsrr.exe 2->15         started        17 msiexec.exe 2 2->17         started        process3 dnsIp4 48 C:\ProgramData\ufgsv1\asod8.exe, PE32 8->48 dropped 50 C:\Windows\Installer\MSIC9D2.tmp, PE32 8->50 dropped 52 C:\Windows\Installer\MSIC741.tmp, PE32 8->52 dropped 54 10 other files (none is malicious) 8->54 dropped 19 asod8.exe 4 16 8->19         started        24 msiexec.exe 9 8->24         started        64 ipinfo.io 11->64 66 aytonavalmoral.cable-modem.org 11->66 86 Query firmware table information (likely to detect VMs) 11->86 88 Hides threads from debuggers 11->88 90 Sample or dropped binary is a compiled AutoHotkey binary 11->90 26 WerFault.exe 11->26         started        28 WerFault.exe 11->28         started        30 WerFault.exe 11->30         started        92 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->92 file5 signatures6 process7 dnsIp8 62 45.147.197.223, 49772, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 19->62 40 C:\ProgramData\ekupn\njsrr.exe (copy), PE32 19->40 dropped 42 C:\ProgramData\ekupn\knwepkgkcb.797, PE32 19->42 dropped 44 C:\ProgramData\...\w16cg1490e2pdi00uxs0rggg, PE32 19->44 dropped 46 2 other files (none is malicious) 19->46 dropped 84 Sample or dropped binary is a compiled AutoHotkey binary 19->84 32 njsrr.exe 3 15 19->32         started        file9 signatures10 process11 dnsIp12 56 51.12.218.142, 49785, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 32->56 58 aytonavalmoral.cable-modem.org 178.63.167.41, 49782, 49791, 80 HETZNER-ASDE Germany 32->58 60 2 other IPs or domains 32->60 68 Query firmware table information (likely to detect VMs) 32->68 70 May check the online IP address of the machine 32->70 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 32->72 74 4 other signatures 32->74 36 WerFault.exe 32->36         started        38 WerFault.exe 32->38         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0/
Threat name:
Win32.Trojan.Mekotio
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 09:57:03 UTC
File Type:
Binary (Archive)
Extracted files:
88
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tabtnmhpckgpcw42ryxgygq5eimnp4jkmlbu5mnov6weozcpzxya._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220616-jttmpshhaj/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/980336b0ef12/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/280610/

Comments