MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fc52a3f3062b09ef6fe25ceeead5bcf3f80c712e8468fe887a57fbe19884b2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mekotio


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9fc52a3f3062b09ef6fe25ceeead5bcf3f80c712e8468fe887a57fbe19884b2c
SHA3-384 hash: efb903fcceeb7b7d5d76a5e02895ca8e8c54dbe6aa88786b4b5fee5064e6a30a1027c25b58dcdb23ffa3c6335f8e987e
SHA1 hash: ce854ebd481c03df98625619bcc258614fc19515
MD5 hash: 9c10a526a73893354ffda1070e3c438f
humanhash: diet-don-oklahoma-beryllium
File name:BIHBXRSIVW.rCJ
Download: download sample
Signature Mekotio
Create hunting rule
File size:15'230'464 bytes
First seen:2023-03-17 18:35:55 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d101f7a5d94d599d72693c0ec35d0a4e (1 x Mekotio)
ssdeep 393216:y1+g8B3BQ6lV7Vb3LBgTovVLRAsDEI3mtPuQTC35BeI:y1Vs3BQmBFiMVLRAsYI3OGx
Threatray 1'143 similar samples on MalwareBazaar
TLSH T12AE6237313D06A46F6B297755C3B88484C36BC62AE32C52CA11F9D9D48A1A4CEFF5732
TrID 28.8% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
13.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
12.9% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Merlax_
Tags:dll Mekotio payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
AR AR
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mekotio packed
Link:
https://www.filescan.io/uploads/6414b313c60b3295f52b9864/reports/541fa562-3ab1-419f-a06e-b315c801dfea/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9fc52a3f3062b09ef6fe25ceeead5bcf3f80c712e8468fe887a57fbe19884b2c
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2faceaa-8696-43fb-b4be-325808ab7201
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1196162
Signature
Antivirus / Scanner detection for submitted sample
DLL side loading technique detected
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829057 Sample: BIHBXRSIVW.rCJ.dll Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Machine Learning detection for sample 2->60 62 PE file contains section with special chars 2->62 8 loaddll32.exe 1 2->8         started        11 OUTLOOK.EXE 2->11         started        process3 dnsIp4 64 Query firmware table information (likely to detect VMs) 8->64 66 DLL side loading technique detected 8->66 68 Hides threads from debuggers 8->68 70 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->70 14 rundll32.exe 3 17 8->14         started        19 cmd.exe 1 8->19         started        21 rundll32.exe 8->21         started        23 6 other processes 8->23 38 192.168.2.1 unknown unknown 11->38 signatures5 process6 dnsIp7 40 utj7u1gisugxxvptn2z.zapto.org 92.38.169.234, 49706, 80 GCOREAT Austria 14->40 42 ipinfo.io 34.117.59.81, 49698, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 14->42 36 C:\Users\user\AppData\Local\...\29489780.dll, PE32 14->36 dropped 44 System process connects to network (likely due to code injection or exploit) 14->44 46 May check the online IP address of the machine 14->46 48 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->48 54 2 other signatures 14->54 25 rundll32.exe 19->25         started        50 Hides threads from debuggers 21->50 52 Tries to detect sandboxes / dynamic malware analysis system (registry check) 21->52 28 WerFault.exe 23 9 21->28         started        30 WerFault.exe 23->30         started        32 WerFault.exe 23->32         started        file8 signatures9 process10 signatures11 72 Hides threads from debuggers 25->72 74 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->74 34 WerFault.exe 2 9 25->34         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9fc52a3f3062b09ef6fe25ceeead5bcf3f80c712e8468fe887a57fbe19884b2c/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-03-17 18:36:12 UTC
File Type:
PE (Dll)
Extracted files:
97
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t7csupzqmkyj55x6exho5lk3z47ybrys5bdi72ehuv734gmijmwa._file
Verdict:
unknown
Similar samples:
04d87473c872231d983c1ba26e9c2d4e346d3853990a5746210dc74bfaccd833
Mekotio
56c3d1b1cf857948ea902f3dec47b29a7c84905d1533d26c1b11175a6c828649
Mekotio
57bd88bb6d0b418e64f193a7c6b6da9f18c44b092685572e8b708bfea72f8bed
Mekotio
6719c4bd451f0c988e20c4e6d4773c015fd98f2882ac1342ef4d48f31bde6cfe
Mekotio
761eb4c63b1c64b2241ead93fdf6714ec655f165fd82fb5548bd31b154ed5ce7
Mekotio
85a39af53d4d774c14a1f2f4efc55ef5b1fa684842a1a31921fe73a977825f21
Mekotio
b28a176fb0b1449351016166dcc13fe75687e7e3c0e7adc01ac5c38aaf0229ab
Mekotio
f66667737675b5cb1f3296aadb433275224d08c23ccee28107ca2fd4d5d3d53b
Mekotio
+ 1'133 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/230317-w8w3lahe67/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912
MD5 hash:
d8f4ab8284f0fda871d6834e24bc6f37
SHA1 hash:
641948e44a1dcfd0ef68910768eb4b1ea6b49d10
Link:
https://www.unpac.me/results/8c881143-f88a-4599-936a-474f0ff5e9df/
SH256 hash:
9fc52a3f3062b09ef6fe25ceeead5bcf3f80c712e8468fe887a57fbe19884b2c
MD5 hash:
9c10a526a73893354ffda1070e3c438f
SHA1 hash:
ce854ebd481c03df98625619bcc258614fc19515
Link:
https://www.unpac.me/results/8c881143-f88a-4599-936a-474f0ff5e9df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/9fc52a3f3062b09ef6fe25ceeead5bcf3f80c712e8468fe887a57fbe19884b2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments