MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e099108e3d925d67cb5d77eb20e3379baee442ae4b0e974f19cc3a97153e1d2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MyloBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e099108e3d925d67cb5d77eb20e3379baee442ae4b0e974f19cc3a97153e1d2b
SHA3-384 hash: 17a45753b6760b2a4e9cdbde19f15f28439cf97b9531ba8f47f2c758ab8e044e4fd9c8c8cbe231316f76f7519fe62267
SHA1 hash: 4a96d7efea81995543d05cdf99ab2766aefda29c
MD5 hash: 244309622315e83902f40f9c69a8d8db
humanhash: king-ink-eight-ink
File name:244309622315e83902f40f9c69a8d8db.exe
Download: download sample
Signature MyloBot
Create hunting rule
File size:325'632 bytes
First seen:2020-12-20 08:00:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d8691188c285d2cf8265c0e15c738ffb (5 x MyloBot)
ssdeep 6144:p6pQNhsrudk+GlurV45DUxZy0OBrctbNs5gNp:pNNhsru0ur0UxZAW05cp
TLSH F26412027911D236C15889B9916FCF530FBF6A11420D95CB7B84013BAFF6BC1F5BA68A
Reporter abuse_ch
Tags:exe mylobot

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'790
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
244309622315e83902f40f9c69a8d8db.exe
Verdict:
Malicious activity
Analysis date:
2020-12-20 08:07:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea80f8c1-833f-4679-976e-ddd2ba9f39a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108596/
Detection(s):
Win.Trojan.Agent-6947762-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a process with a hidden window
Launching a process
Creating a file
Sending a UDP request
Deleting a recently created file
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Enabling autorun by creating a file
Deleting of the original file
Unauthorized injection to a browser process
Enabling threat expansion on mass storage devices by creating a special LNK file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Dorkbot Khalesi
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566957
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to create processes via WMI
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Downloads files with wrong headers with respect to MIME Content-Type
Early bird code injection technique detected
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Dorkbot
Yara detected Khalesi
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332563 Sample: sdag45l37P.exe Startdate: 20/12/2020 Architecture: WINDOWS Score: 100 108 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->108 110 Antivirus detection for URL or domain 2->110 112 Antivirus / Scanner detection for submitted sample 2->112 114 8 other signatures 2->114 13 sdag45l37P.exe 2->13         started        16 07989793.exe 2->16         started        18 07989793.exe 2->18         started        process3 signatures4 150 Detected unpacking (changes PE section rights) 13->150 152 Detected unpacking (overwrites its own PE header) 13->152 154 Contain functionality to detect virtual machines 13->154 164 2 other signatures 13->164 20 sdag45l37P.exe 1 13->20         started        156 Antivirus detection for dropped file 16->156 158 Multi AV Scanner detection for dropped file 16->158 160 Machine Learning detection for dropped file 16->160 23 07989793.exe 16->23         started        162 Injects a PE file into a foreign processes 18->162 25 07989793.exe 18->25         started        process5 signatures6 126 Early bird code injection technique detected 20->126 128 Writes to foreign memory regions 20->128 130 Allocates memory in foreign processes 20->130 132 3 other signatures 20->132 27 svchost.exe 2 15 20->27         started        process7 dnsIp8 82 212.8.242.104, 49729, 49730, 80 WORLDSTREAMNL Netherlands 27->82 84 buy1.pqrqtaz.ru 217.23.11.12, 49724, 9879 WORLDSTREAMNL Netherlands 27->84 86 163.172.50.16, 49726, 49733, 80 OnlineSASFR United Kingdom 27->86 68 C:\ProgramData\...\07989793.exe, PE32 27->68 dropped 70 C:\ProgramData\...\770926.exe, PE32 27->70 dropped 72 C:\ProgramData\...\715926.exe, PE32 27->72 dropped 74 2 other malicious files 27->74 dropped 166 System process connects to network (likely due to code injection or exploit) 27->166 168 Creates autostart registry keys with suspicious names 27->168 170 Creates multiple autostart registry keys 27->170 172 6 other signatures 27->172 32 770926.exe 27->32         started        35 685332.exe 27->35         started        37 269338.exe 27->37         started        39 3 other processes 27->39 file9 signatures10 process11 signatures12 88 Antivirus detection for dropped file 32->88 90 Multi AV Scanner detection for dropped file 32->90 92 Detected unpacking (changes PE section rights) 32->92 94 Contains functionality to compare user and computer (likely to detect sandboxes) 32->94 41 770926.exe 5 32->41         started        96 Detected unpacking (overwrites its own PE header) 35->96 98 Machine Learning detection for dropped file 35->98 100 Injects a PE file into a foreign processes 35->100 44 685332.exe 35->44         started        102 Contain functionality to detect virtual machines 37->102 104 Contains functionality to inject threads in other processes 37->104 47 269338.exe 37->47         started        106 Sample uses process hollowing technique 39->106 49 715926.exe 39->49         started        process13 file14 66 C:\Users\user\AppData\...\vfhvauvt.exe, PE32 41->66 dropped 51 vfhvauvt.exe 41->51         started        142 Writes to foreign memory regions 44->142 144 Allocates memory in foreign processes 44->144 146 Creates a thread in another existing process (thread injection) 44->146 148 Injects a PE file into a foreign processes 44->148 54 cleanmgr.exe 1 44->54         started        signatures15 process16 signatures17 116 Antivirus detection for dropped file 51->116 118 Multi AV Scanner detection for dropped file 51->118 120 Detected unpacking (changes PE section rights) 51->120 124 2 other signatures 51->124 56 vfhvauvt.exe 1 51->56         started        122 Contains functionality to compare user and computer (likely to detect sandboxes) 54->122 process18 process19 58 cmd.exe 1 2 56->58         started        dnsIp20 76 xfuthps.com 58->76 78 oofdgwc.com 58->78 80 2 other IPs or domains 58->80 134 Creates multiple autostart registry keys 58->134 136 Monitors registry run keys for changes 58->136 138 Writes to foreign memory regions 58->138 140 2 other signatures 58->140 62 notepad.exe 58->62         started        64 conhost.exe 58->64         started        signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e099108e3d925d67cb5d77eb20e3379baee442ae4b0e974f19cc3a97153e1d2b/
Threat name:
Win32.Trojan.Khalesi
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 22:20:40 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4cmrbdr5sjowps25o7vsbyzxtoxoiqvojmhjotyzzq5jofj6duvq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/201220-lmaj4r7xrj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Unpacked files
SH256 hash:
e099108e3d925d67cb5d77eb20e3379baee442ae4b0e974f19cc3a97153e1d2b
MD5 hash:
244309622315e83902f40f9c69a8d8db
SHA1 hash:
4a96d7efea81995543d05cdf99ab2766aefda29c
Detections:
win_mylobot_a0
Create hunting rule
Link:
https://www.unpac.me/results/76203877-c86c-41f2-8c02-577371489284/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e099108e3d925d67cb5d77eb20e3379baee442ae4b0e974f19cc3a97153e1d2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_mylobot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MyloBot

Executable exe e099108e3d925d67cb5d77eb20e3379baee442ae4b0e974f19cc3a97153e1d2b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/930749/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108596/

Comments