MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4ba5e8f98fe70d764df71b7c390237b90ed0fc3408579a15a06ee56008a3531. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MyloBot


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4ba5e8f98fe70d764df71b7c390237b90ed0fc3408579a15a06ee56008a3531
SHA3-384 hash: 571f34fa0f21760e458b665f0bf492fcdd7f130c53c17d28aee550af863527f0bee6004ab3cc2dd164a70aea14239305
SHA1 hash: 2a6b0f3a422a49e450cc39354fd687084c8a209e
MD5 hash: c5307c17eeda787432f82f1d648a368c
humanhash: hot-lamp-paris-jig
File name:Win32.MyLobot.exe
Download: download sample
Signature MyloBot
Create hunting rule
File size:180'224 bytes
First seen:2020-11-09 10:20:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d8691188c285d2cf8265c0e15c738ffb (5 x MyloBot)
ssdeep 3072:Df5M0zA8NTyQXMyVAyzPt+irbu5xYWLFQ3aC6ulgkNS82avsM:3AgeQcaJrFWxm6ulgWS82ZM
TLSH A8041206B894C472C1452474457FD1841B3E9E1397A992CB3F692AAFAF323E59F3231E
Reporter RezaSharifi
Tags:mylobot

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'761
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Agent-6584633-0
Create hunting rule

Win.Trojan.Agent-6947762-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching cmd.exe command interpreter
Launching a process
Creating a file in the %temp% directory
Creating a window
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Khalesi
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/526187
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Khalesi
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312183 Sample: Win32.MyLobot.exe Startdate: 09/11/2020 Architecture: WINDOWS Score: 100 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Khalesi 2->50 52 2 other signatures 2->52 10 Win32.MyLobot.exe 2->10         started        13 vfhvauvt.exe 2->13         started        15 vfhvauvt.exe 2->15         started        process3 signatures4 62 Detected unpacking (changes PE section rights) 10->62 64 Detected unpacking (overwrites its own PE header) 10->64 66 Contains functionality to inject code into remote processes 10->66 68 Contains functionality to compare user and computer (likely to detect sandboxes) 10->68 17 Win32.MyLobot.exe 5 10->17         started        70 Injects a PE file into a foreign processes 13->70 20 vfhvauvt.exe 13->20         started        22 vfhvauvt.exe 15->22         started        process5 file6 38 C:\Users\user\AppData\...\vfhvauvt.exe, PE32 17->38 dropped 24 vfhvauvt.exe 17->24         started        process7 signatures8 54 Antivirus detection for dropped file 24->54 56 Multi AV Scanner detection for dropped file 24->56 58 Detected unpacking (changes PE section rights) 24->58 60 2 other signatures 24->60 27 vfhvauvt.exe 1 24->27         started        process9 signatures10 72 Writes to foreign memory regions 27->72 74 Allocates memory in foreign processes 27->74 76 Creates a thread in another existing process (thread injection) 27->76 78 Injects a PE file into a foreign processes 27->78 30 cmd.exe 1 2 27->30         started        process11 dnsIp12 40 192.168.2.1 unknown unknown 30->40 42 wmarxti.com 30->42 44 2 other IPs or domains 30->44 80 Monitors registry run keys for changes 30->80 82 Writes to foreign memory regions 30->82 84 Creates a thread in another existing process (thread injection) 30->84 86 2 other signatures 30->86 34 notepad.exe 30->34         started        36 conhost.exe 30->36         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4ba5e8f98fe70d764df71b7c390237b90ed0fc3408579a15a06ee56008a3531/
Threat name:
Win32.Trojan.Khalesi
Create hunting rule
Status:
Malicious
First seen:
2018-06-06 08:47:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
44 of 48 (91.67%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-9qstper36n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
ServiceHost packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_mylobot_a0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_mylobot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_mylobot_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments