MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d864f38a61ace8f5a7bef4bf99db564b54ed8338a941c0132f2e9bc6349807c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d864f38a61ace8f5a7bef4bf99db564b54ed8338a941c0132f2e9bc6349807c
SHA3-384 hash: aa7855a938522372b15054fe56b69b39fda48a5d85309a008457818776434ac81e1bcca91a55e243e6f11e2f60ab46c4
SHA1 hash: 4ecdb49b37876f7d55392de145de6597efa054b6
MD5 hash: 47dd44eecb79c6f4a53675051056a115
humanhash: monkey-december-beer-fifteen
File name:N0BX9PKL13J1U9OWO6D5QRRIM9Y90KV
Download: download sample
File size:8'720'896 bytes
First seen:2020-11-04 10:22:02 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 70209a1bf30a63f4b2785878e500abaf
ssdeep 196608:5T6Pt/nvjnAQgWq0pA8yvTCVqUaxYPv8rFd:5T0bAw9WA4Gv8Zd
Threatray 2 similar samples on MalwareBazaar
TLSH 2096D017F248617EC06B4A3A4437EF90A53B77B52A0A8CA75BF0494C4F35291EB3E647
Reporter JAMESWT_WT
Tags:Mekotio spy

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82800/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

PUA.Win.Malware.Gamemodding-6726308-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/520010
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Very long command line found
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d864f38a61ace8f5a7bef4bf99db564b54ed8338a941c0132f2e9bc6349807c/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 10:18:12 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201104-4766xye9ns/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
9d864f38a61ace8f5a7bef4bf99db564b54ed8338a941c0132f2e9bc6349807c
MD5 hash:
47dd44eecb79c6f4a53675051056a115
SHA1 hash:
4ecdb49b37876f7d55392de145de6597efa054b6
Link:
https://www.unpac.me/results/6f9231d2-7dec-43c4-b775-f139cc39ab41/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/82800/

Comments