MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bad65480d4b645263f39ab76311339498ebe84af0cae8dfc2472a15c5f64c1a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MyloBot


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bad65480d4b645263f39ab76311339498ebe84af0cae8dfc2472a15c5f64c1a6
SHA3-384 hash: 70c1724c1bdd9085db94541c241702b41b1f337eac9cbb64494f3359a347403460a0a39623e2b6c5982ff71aabee4754
SHA1 hash: ed438defe81324a0cd334ff918ffd2ad67baf141
MD5 hash: f9fed70bc6fc45963c2df36bbe878671
humanhash: river-michigan-six-winter
File name:f9fed70bc6fc45963c2df36bbe878671.exe
Download: download sample
Signature MyloBot
Create hunting rule
File size:325'632 bytes
First seen:2023-02-22 09:46:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d8691188c285d2cf8265c0e15c738ffb (5 x MyloBot)
ssdeep 6144:sUzicKsfwzUy7Yiro9za0SwqZeNCPIhq+pteQVrLvmgQavC:DzicRfwzLinbCPIhq+pteQpvC
Threatray 22 similar samples on MalwareBazaar
TLSH T11E6412027692C8B3C42112B1097BC1659F7AEA12236D85DFBBC8F6AB5F347C2E63111D
TrID 45.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.4% (.EXE) Win64 Executable (generic) (10523/12/4)
9.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe mylobot

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f9fed70bc6fc45963c2df36bbe878671.exe
Verdict:
Suspicious activity
Analysis date:
2023-02-22 09:59:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f73af7da-424f-488f-9928-b235cfdcc164

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368904/
Detection(s):
Win.Trojan.Agent-6947762-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a process with a hidden window
Сreating synchronization primitives
Launching a process
Creating a window
Creating a file
Sending a custom TCP request
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72157/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
greyware
Link:
https://www.filescan.io/uploads/63f5e49b4cf031c9c07a37a0/reports/387bce45-8eb1-44f5-a067-2a0bbc58a933/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bad65480d4b645263f39ab76311339498ebe84af0cae8dfc2472a15c5f64c1a6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa27b28b-9ccd-44b6-8b7e-7bbc559667f8
Result
Threat name:
Dorkbot, Khalesi
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1180404
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Downloads files with wrong headers with respect to MIME Content-Type
Early bird code injection technique detected
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Dorkbot
Yara detected Khalesi
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813235 Sample: t74nb3aQUd.exe Startdate: 22/02/2023 Architecture: WINDOWS Score: 100 77 Snort IDS alert for network traffic 2->77 79 Antivirus detection for URL or domain 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 6 other signatures 2->83 13 t74nb3aQUd.exe 2->13         started        16 9a3aeaf0.exe 2->16         started        18 vigvcuvv.exe 2->18         started        20 2 other processes 2->20 process3 signatures4 117 Detected unpacking (changes PE section rights) 13->117 119 Detected unpacking (overwrites its own PE header) 13->119 121 Contain functionality to detect virtual machines 13->121 131 2 other signatures 13->131 22 t74nb3aQUd.exe 1 13->22         started        123 Antivirus detection for dropped file 16->123 125 Multi AV Scanner detection for dropped file 16->125 127 Machine Learning detection for dropped file 16->127 25 9a3aeaf0.exe 16->25         started        129 Injects a PE file into a foreign processes 18->129 27 vigvcuvv.exe 18->27         started        29 vigvcuvv.exe 20->29         started        31 9a3aeaf0.exe 20->31         started        process5 signatures6 101 Early bird code injection technique detected 22->101 103 Writes to foreign memory regions 22->103 105 Allocates memory in foreign processes 22->105 107 3 other signatures 22->107 33 svchost.exe 2 10 22->33         started        process7 dnsIp8 65 212.8.242.104, 49685, 80 WORLDSTREAMNL Netherlands 33->65 67 buy1.pickcas.ru 217.23.11.12, 49684, 6464 WORLDSTREAMNL Netherlands 33->67 69 buy1.pqrqtaz.ru 33->69 59 C:\ProgramData\...\123838.exe, PE32 33->59 dropped 61 C:\ProgramData\...\9a3aeaf0.exe, PE32 33->61 dropped 85 System process connects to network (likely due to code injection or exploit) 33->85 87 Found stalling execution ending in API Sleep call 33->87 89 Creates autostart registry keys with suspicious names 33->89 91 7 other signatures 33->91 38 123838.exe 33->38         started        41 xvcznIflkLKHjkgmxuUELAAiyCGdu.exe 33->41 injected file9 signatures10 process11 signatures12 109 Antivirus detection for dropped file 38->109 111 Multi AV Scanner detection for dropped file 38->111 113 Detected unpacking (changes PE section rights) 38->113 115 3 other signatures 38->115 43 123838.exe 5 38->43         started        process13 file14 63 C:\Users\user\AppData\...\vigvcuvv.exe, PE32 43->63 dropped 46 vigvcuvv.exe 43->46         started        process15 signatures16 133 Antivirus detection for dropped file 46->133 135 Multi AV Scanner detection for dropped file 46->135 137 Detected unpacking (changes PE section rights) 46->137 139 3 other signatures 46->139 49 vigvcuvv.exe 1 46->49         started        process17 process18 51 cmd.exe 1 2 49->51         started        dnsIp19 71 gerxuau.com 51->71 73 ehdtatx.com 51->73 75 192.168.2.1 unknown unknown 51->75 93 Creates multiple autostart registry keys 51->93 95 Monitors registry run keys for changes 51->95 97 Writes to foreign memory regions 51->97 99 2 other signatures 51->99 55 notepad.exe 51->55         started        57 conhost.exe 51->57         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bad65480d4b645263f39ab76311339498ebe84af0cae8dfc2472a15c5f64c1a6/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 04:04:44 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
35 of 39 (89.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xllfjaguwzcsmpzzvn3dcezzjghl5bfpbsxi37beokqvyx3eygta._file
Verdict:
malicious
Similar samples:
06e6d8ba0524b9e2cc67bb11a6087324f02909c18ac608e5a20b557a65d343cb
MyloBot
372ae569d59f2ae219060acfa7e4cc3d04eaa74844d7f2d4a190c50964b8e16d
MyloBot
5ff395efe178bfcc26300500b75c4b6123a50a17c2895151e4947b137d0f8802
MyloBot
74e37b6f2f4a41923fe5283595b5bc80325ef138af5094ec021c99d140892c10
MyloBot
e099108e3d925d67cb5d77eb20e3379baee442ae4b0e974f19cc3a97153e1d2b
MyloBot
e6ba3c99d03a90b56195da9740446321c66edacfb8f1b04743bbab6a5d99d316
MyloBot
f5e0038ac8ccd2b1ec96d71c7a2b648980da3b00c2c62f0f5122640b8907b3fc
MyloBot
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230222-lr74esaf77/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Unpacked files
SH256 hash:
bad65480d4b645263f39ab76311339498ebe84af0cae8dfc2472a15c5f64c1a6
MD5 hash:
f9fed70bc6fc45963c2df36bbe878671
SHA1 hash:
ed438defe81324a0cd334ff918ffd2ad67baf141
Detections:
win_mylobot_a0
Create hunting rule
Link:
https://www.unpac.me/results/ea60d275-2f47-4546-8e6a-76fc14a6cea1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bad65480d4b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bad65480d4b645263f39ab76311339498ebe84af0cae8dfc2472a15c5f64c1a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:SUSP_EXE_in_ISO
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:Internal Research
Rule name:win_mylobot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.mylobot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/368904/

Comments