MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b38256f6d2f6f4437714a7eb5f6c97750303f0a94efdfbcbd939e33bfdea48c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mekotio

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	b38256f6d2f6f4437714a7eb5f6c97750303f0a94efdfbcbd939e33bfdea48c5
SHA3-384 hash:	851f9c4fbdb48fd38cc5b3e9d78e3bccd20d157ee6f86704e4727bb1bbed189e36560843ba52bd97193fe54b1216acc9
SHA1 hash:	33bf9b1c066990d647ed07578a1afa2f87758971
MD5 hash:	32be17a8e6c238d6102924c1c123c56b
humanhash:	alanine-zebra-ten-ohio
File name:	H026D00321035JJSR7D65.msi
Download:	download sample
Signature	Mekotio Create hunting rule
File size:	6'976'000 bytes
First seen:	2021-05-26 11:41:23 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	196608:M7VYoaMkkEbKZ1sV9BSCkdJkPSFGu3i48s4SI:M7VYo/kkES1yvSCkdJkPSUu9N
Threatray	46 similar samples on MalwareBazaar
TLSH	91662321B182C133D4AE017066BEDBBF457DBA2117B580EB63D88E191E716D22736BC7
Reporter	JAMESWT_WT
Tags:	Mekotio msi spy

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/162353/

Detection(s):

SecuriteInfo.com.Variant.Graftor.953389.19237.29174.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/b38256f6d2f6f4437714a7eb5f6c97750303f0a94efdfbcbd939e33bfdea48c5

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b38256f6d2f6f4437714a7eb5f6c97750303f0a94efdfbcbd939e33bfdea48c5/

Threat name:

Script.Downloader.BanLoad

Status:

Malicious

First seen:

2021-05-26 11:37:15 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

13 of 29 (44.83%)

Threat level:

3/5

Verdict:

unknown

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion persistence themida trojan

Link:

https://tria.ge/reports/210526-h7q25l6pyn/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/b38256f6d2f6f4437714a7eb5f6c97750303f0a94efdfbcbd939e33bfdea48c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/162353/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample