MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9db79c06f6927e8e60151a16a65cea76e306f746ddba026a0b1d12a355f7f16e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9db79c06f6927e8e60151a16a65cea76e306f746ddba026a0b1d12a355f7f16e
SHA3-384 hash: f9da98aeec70a2f55273bbdc5baec7663546f8b4d33f60493ac9cb9862a5893d58718a7ffd2ae8ac21ed4ac0d63a26c7
SHA1 hash: da2ecb6ab36cd483f3f196fcd88d33ca1cfd2a8b
MD5 hash: 29279a6b32d8d5b2150df6b74b3ec8e9
humanhash: ceiling-carbon-hawaii-nevada
File name:RGSUHJKBWHESGDVVYJLTT43LLKLEAK98TI3
Download: download sample
File size:6'309'888 bytes
First seen:2020-09-03 10:20:01 UTC
Last seen:2020-09-03 11:00:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c4bd440db5b96af7970346bad8989264
ssdeep 98304:UDFMgwY0+0c+WcZJNjDo1TFzdYKkkWjJn98hH8Y2vNt0YeH3x+DzRA:59x3jZDo1ThdYvv198qY2vE4R
Threatray 929 similar samples on MalwareBazaar
TLSH 8D5633B700E1BED3CA34A7F67D1A24898521F9360A861174F46F47E68EA720DDBF1790
Reporter JAMESWT_WT
Tags:Mekotio spy

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54670/
Detection(s):
SecuriteInfo.com.Variant.Razy.725225.1593.14532.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Sending a UDP request
Creating a window
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/458201
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses ipconfig to lookup or modify the Windows network settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 281492 Sample: RGSUHJKBWHESGDVVYJLTT43LLKL... Startdate: 03/09/2020 Architecture: WINDOWS Score: 84 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 PE file contains section with special chars 2->56 58 Uses ipconfig to lookup or modify the Windows network settings 2->58 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 3 4 8->10         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        18 2 other processes 8->18 dnsIp5 46 elanstudio.hu 212.108.234.94, 49729, 49732, 80 INVITECHHU Hungary 10->46 48 wjip0odcyi.winconnection.net 172.107.45.209, 49742, 49743, 8350 AS40676US United States 10->48 50 3 other IPs or domains 10->50 60 System process connects to network (likely due to code injection or exploit) 10->60 62 Hides threads from debuggers 10->62 64 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->64 20 ipconfig.exe 1 10->20         started        22 ipconfig.exe 1 10->22         started        24 ipconfig.exe 1 10->24         started        30 7 other processes 10->30 66 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->66 26 WerFault.exe 21 9 16->26         started        28 WerFault.exe 9 18->28         started        signatures6 process7 process8 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 conhost.exe 30->38         started        40 conhost.exe 30->40         started        42 conhost.exe 30->42         started        44 3 other processes 30->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9db79c06f6927e8e60151a16a65cea76e306f746ddba026a0b1d12a355f7f16e/
Threat name:
Win64.Trojan.Mekotio
Create hunting rule
Status:
Malicious
First seen:
2020-09-03 10:21:10 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
276ff250495d6b475c84a26dce4faa535f976780fdfc69cc0dc831dba3451a5c
33ffacc3e517f4f1dad47f1ca28d26188e202d5e2e300e1e71bc0a57e682292a
389875d4c35ff8da276f122cb6b4ebd1b1d65ce5da5c05defefaf40c2609dbaf
433811102726bc15416ca338a2df55ec1daaf3f2565ee00d7f6484064746fb30
7a445143a652f58fa4abc4957269aea8f884f71e7f4654b56385491eb544b0a5
7c2bcbc90aad473e93b52051f11b1c1d8f3d9436b7d95b49e1ca4c7c835b0115
9b2ad325e0cda26d0cd3769bea307050581d5c38d40d1281ff7e6b56420369cd
a78df3ea7c9bcf96c6c9db033be7a66d9c418c1acfa3c8efc3c4ba313c5b4fad
d6ba040d10d1fb8e0f6a8b1d5378be566f6d3816bf1a00fb3e0bb6eed29346b2
+ 919 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200903-8wn9a4mb26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks whether UAC is enabled
Checks BIOS information in registry
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9db79c06f6927e8e60151a16a65cea76e306f746ddba026a0b1d12a355f7f16e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54670/

Comments