MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6bcd88a72bae764602195f8e224181ece313cc17c3f1bdc7f70f8276ab22701. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mekotio


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6bcd88a72bae764602195f8e224181ece313cc17c3f1bdc7f70f8276ab22701
SHA3-384 hash: ef3b84e6056ecca8aa1912ac20c0fcdb3e503939740751a85c258097fed0b1ea7764be1b2f18e4628645f5a4e826279b
SHA1 hash: 4e5cd64448d690fb8d3b517f9270d17d314413b1
MD5 hash: 2e40c22b5e633da9ff063fb8f9ff3e84
humanhash: alaska-vermont-massachusetts-cup
File name:Factura638a4.msi
Download: download sample
Signature Mekotio
Create hunting rule
File size:6'718'976 bytes
First seen:2022-12-02 19:20:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:W7MugD02m80rf3ljfnsL41uZDPr0gkMhoT9:W9gTm9lTsKuZuMa
Threatray 1'053 similar samples on MalwareBazaar
TLSH T18966233371A6412ED0FE89750927BF9631F21A1543A358FB65C46ECE3AB25D06332E93
TrID 77.3% (.MSI) Microsoft Windows Installer (454500/1/170)
10.3% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.5% (.MSP) Windows Installer Patch (44509/10/5)
3.3% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
1.3% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Merlax_
Tags:Mekotio msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
AR AR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342035/
Detection(s):
SecuriteInfo.com.W32.Trojan.VYZK-4288.30727.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mekotio packed packed shell32.dll
Link:
https://www.filescan.io/uploads/638a4fe4f6e448d42df6f2d6/reports/85d31660-485f-4ee0-a529-28d94e366da2/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a6bcd88a72bae764602195f8e224181ece313cc17c3f1bdc7f70f8276ab22701
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1126780
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 759504 Sample: Factura638a4.msi Startdate: 02/12/2022 Architecture: WINDOWS Score: 60 50 Snort IDS alert for network traffic 2->50 52 Antivirus detection for dropped file 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 3 other signatures 2->56 7 msiexec.exe 12 34 2->7         started        10 OUTLOOK.EXE 502 36 2->10         started        12 KUs.r.exe 2->12         started        14 2 other processes 2->14 process3 file4 34 C:\Windows\Installer\MSI1C7A.tmp, PE32 7->34 dropped 36 C:\Windows\Installer\MSI1A17.tmp, PE32 7->36 dropped 38 C:\Windows\Installer\MSI194B.tmp, PE32 7->38 dropped 40 2 other malicious files 7->40 dropped 16 msiexec.exe 1 19 7->16         started        process5 dnsIp6 42 40.114.107.82, 2381, 49696 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->42 44 ipinfo.io 34.117.59.81, 443, 49695 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 16->44 26 C:\Users\user\...\q8b066d2swj2o2onj95ssss, PE32 16->26 dropped 28 C:\Users\user\AppData\...\jvpklubqzv.mva, PE32 16->28 dropped 30 C:\Users\user\AppData\...\KUs.r.exe (copy), PE32 16->30 dropped 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->58 60 May check the online IP address of the machine 16->60 62 Overwrites code with function prologues 16->62 64 Hides threads from debuggers 16->64 21 KUs.r.exe 3 18 16->21         started        file7 signatures8 process9 dnsIp10 46 novaera.gleeze.com 185.101.93.138 MYVIRTUALSERVERmyVirtualserverDE Germany 21->46 48 ipinfo.io 21->48 32 C:\Users\user\AppData\Local\...\4d26bfd.dll, PE32 21->32 dropped 66 Query firmware table information (likely to detect VMs) 21->66 68 May check the online IP address of the machine 21->68 70 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->70 72 5 other signatures 21->72 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6bcd88a72bae764602195f8e224181ece313cc17c3f1bdc7f70f8276ab22701/
Threat name:
Win32.Trojan.Banbra
Create hunting rule
Status:
Malicious
First seen:
2022-12-02 18:09:59 UTC
File Type:
Binary (Archive)
Extracted files:
57
AV detection:
14 of 41 (34.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u26nrctsxltwiybbsx4oejayd3hdcpgbpq7rxxd7od4co2vse4aq._file
Verdict:
suspicious
Similar samples:
27ec567e09d46bc9cf86e4ba699c893832403a698e414ced8b9af680c67cec2f
Mekotio
348a583651121ae324dc81391d1645e001b52e7433c0d2cbc9ef04f32d116b69
Mekotio
3b25269ee1bf950e149d758ce4074f0ddca17282fb933bc44f9a77e6d495dc1b
Mekotio
67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a
Mekotio
687ac0a86056ab61af2e1c34b053e7d58ab19b64bab5d13b81e2e3dcab878426
Mekotio
94a3555c14771a4b3a7078f878e7530e04dcc846570b30f29aeb67c6733065d6
Mekotio
980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0
Mekotio
b324bf2765637c425eea72826c3a1524873fc8b2dc7c06cf9f5b3312bde8861a
Mekotio
fa91996407e821400f962f248c576cacc2163f61fa12b1f21d4ad6fede3a010e
Mekotio
fdbf873a5b98ba84b1e2d4b32b161360e25fdab595514666933bbb51f2f89a02
Mekotio
+ 1'043 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/221202-x13e3sfa64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a6bcd88a72ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
Link:
https://yomi.yoroi.company/submissions/a6bcd88a72bae764602195f8e224181ece313cc17c3f1bdc7f70f8276ab22701

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/342035/

Comments