MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfa20a3a8248d963ab012b69d808648beeba7627bfac7f73d070637233954590. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mekotio


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfa20a3a8248d963ab012b69d808648beeba7627bfac7f73d070637233954590
SHA3-384 hash: ea9119abd2721b2da14e457d586e4611832ef71ca311e9ed34082cad2c4d4eac0132641d155f40b051f66ad88269b539
SHA1 hash: 54370c788fa466004c2e1af49ebb0eb20d1235cd
MD5 hash: 4151656534a6c6273f6630677f04e15b
humanhash: crazy-sweet-bravo-seven
File name:#PackedThemida #BankerMekotio_n2.sample
Download: download sample
Signature Mekotio
Create hunting rule
File size:5'280'768 bytes
First seen:2021-11-13 06:35:39 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 07dfab11c89d0fa9c9adf0b5138254a0 (1 x Mekotio)
ssdeep 98304:0W/CV24vva4aJ0Z5Lh5vVWE3ylYrJ30e4fSo69bxtHI+O:0aCRAJ0LLh3WEdrl0fSo69vHNO
TLSH T1FC36331F6167295CF5ACAF7936011A2568F490F37BE45B0C05439F2DFE0CB29ABB6806
Reporter KodaES
Tags:banker dll Mekotio

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205404/
Detection(s):
PUA.Win.Packer.ThemidaWinlicen-6
Create hunting rule

PUA.Win.Packer.Themida-14
Create hunting rule

PUA.Win.Packer.ThemidaWinlicen-5
Create hunting rule

Win.Malware.Ursu-9826249-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/618f5cd73edf00a722d18ac4/reports/b5aa03ab-501b-4b53-bf57-e1e74cabcb0c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59fc8233-8244-463b-bcea-210797c7f314
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888480
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520953 Sample: #PackedThemida #BankerMekot... Startdate: 13/11/2021 Architecture: WINDOWS Score: 100 35 Antivirus detection for URL or domain 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 3 other signatures 2->41 8 loaddll32.exe 1 2->8         started        process3 signatures4 47 Hides threads from debuggers 8->47 49 Potentially malicious time measurement code found 8->49 51 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->51 11 rundll32.exe 8->11         started        14 rundll32.exe 3 8->14         started        18 cmd.exe 1 8->18         started        20 6 other processes 8->20 process5 dnsIp6 53 System process connects to network (likely due to code injection or exploit) 11->53 55 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->55 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Potentially malicious time measurement code found 11->59 29 polmasteque.org 206.72.205.68, 443, 49780, 49782 IS-AS-1US United States 14->29 31 edge-block-www-env.dropbox-dns.com 162.125.66.15, 443, 49786 DROPBOXUS United States 14->31 33 4 other IPs or domains 14->33 27 C:\Users\user\AppData\Local\...\8fiht4B.exe, PE32 14->27 dropped 61 Hides threads from debuggers 14->61 63 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->63 22 rundll32.exe 18->22         started        file7 signatures8 process9 signatures10 43 Hides threads from debuggers 22->43 45 Tries to detect sandboxes / dynamic malware analysis system (registry check) 22->45 25 WerFault.exe 23 9 22->25         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfa20a3a8248d963ab012b69d808648beeba7627bfac7f73d070637233954590/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 06:35:55 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6rauoucjdmwhkybfnu5qcderpxlu5rhx6wh646qobrxem4viwia._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
evasion
Link:
https://tria.ge/reports/211113-hcx35abffj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Identifies Wine through registry keys
Unpacked files
SH256 hash:
b06470d8a9eb1728aefd0ac02dcc7bfdbdaad8b1c22187b5503542fa2136ab93
MD5 hash:
39976cf1a9d909a2a8003ed5bb72aadf
SHA1 hash:
54f1ef0e1ae3de138da112695ce04b6be8a3874f
Link:
https://www.unpac.me/results/647cfde5-589a-46d3-b935-113ede75b810/
SH256 hash:
cfa20a3a8248d963ab012b69d808648beeba7627bfac7f73d070637233954590
MD5 hash:
4151656534a6c6273f6630677f04e15b
SHA1 hash:
54370c788fa466004c2e1af49ebb0eb20d1235cd
Link:
https://www.unpac.me/results/647cfde5-589a-46d3-b935-113ede75b810/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205404/

Comments