MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1973b3eff839047a3a75d58777161e58b49fbbbd9255966bd74add7a93507bc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1973b3eff839047a3a75d58777161e58b49fbbbd9255966bd74add7a93507bc3
SHA3-384 hash: 28d6971aa0f778d0d2803624b447e5b2f29275cdda7b949a1f8dc8bab45925c71d3aecbbe8cb0b5034f0738ee2e2166d
SHA1 hash: 7698e932161627e6b296257b9be2e918127034dc
MD5 hash: 1f3af4b1178773cdd98f752b8149cac3
humanhash: michigan-edward-blossom-failed
File name:BL & Original AWB Shipping documents.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:379'904 bytes
First seen:2020-08-04 16:23:41 UTC
Last seen:2020-08-04 17:11:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:dZS3wJiGe6dwVzBzOUAxHovGri7SHkG3rm4GrBgyWPcFxhA5BCcWYvTvJGrzdF:dCwJPKzBtAxqGrdUrBjy/5f7M/
Threatray 30 similar samples on MalwareBazaar
TLSH F984016D48869E2AF96B073F5E704503CEA3D20FA111D2CF4F751589623EA2D7E05FA2
Reporter abuse_ch
Tags:DHL exe Matiex


Avatar
abuse_ch
Malspam distributing Matiex:

HELO: noway.com
Sending IP: 45.127.62.50
From: DHL Express Service<dhlexpress@dhl.com>
Subject: DHL International Express Shipping AWB and parcel tracking-523***75
Attachment: BL Original AWB Shipping documents1.rar (contains "BL & Original AWB Shipping documents.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38841/
Detection(s):
SecuriteInfo.com.Generic.mg.1f3af4b1178773cd.3794.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409768
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sigma detected: Capture Wi-Fi password
Sigma detected: Drops script at startup location
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257139 Sample: BL & Original AWB Shipping ... Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 65 Sigma detected: Capture Wi-Fi password 2->65 67 Sigma detected: Scheduled temp file as task from temp location 2->67 69 Yara detected Matiex Keylogger 2->69 71 11 other signatures 2->71 8 BL & Original AWB Shipping documents.exe 7 2->8         started        12 ApplicationData.exe 5 2->12         started        process3 file4 35 C:\Users\user\AppData\Roaming\ZCkrWL.exe, PE32 8->35 dropped 37 C:\Users\user\...\ZCkrWL.exe:Zone.Identifier, ASCII 8->37 dropped 39 C:\Users\user\AppData\Local\...\tmp1514.tmp, XML 8->39 dropped 41 BL & Original AWB ...g documents.exe.log, ASCII 8->41 dropped 73 Injects a PE file into a foreign processes 8->73 14 BL & Original AWB Shipping documents.exe 15 8 8->14         started        19 schtasks.exe 1 8->19         started        75 Machine Learning detection for dropped file 12->75 21 ApplicationData.exe 14 2 12->21         started        23 schtasks.exe 1 12->23         started        signatures5 process6 dnsIp7 49 checkip.dyndns.org 14->49 51 smtp.yandex.ru 77.88.21.158, 49741, 49742, 49743 YANDEXRU Russian Federation 14->51 57 3 other IPs or domains 14->57 43 C:\Users\user\AppData\...\ApplicationData.exe, PE32 14->43 dropped 45 C:\Users\user\AppData\...\ApplicationData.url, MS 14->45 dropped 47 C:\...\ApplicationData.exe:Zone.Identifier, ASCII 14->47 dropped 59 Tries to steal Mail credentials (via file access) 14->59 61 Tries to harvest and steal ftp login credentials 14->61 63 Tries to harvest and steal WLAN passwords 14->63 25 netsh.exe 3 14->25         started        27 conhost.exe 19->27         started        53 checkip.dyndns.org 21->53 55 192.168.2.1 unknown unknown 21->55 29 WerFault.exe 21->29         started        31 conhost.exe 23->31         started        file8 signatures9 process10 process11 33 conhost.exe 25->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1973b3eff839047a3a75d58777161e58b49fbbbd9255966bd74add7a93507bc3/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 16:25:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfz3h37yhechuotv2wdxofq6lc2j7o55sjkzm26xjloxve2qppbq._file
Verdict:
unknown
Similar samples:
137b5dc137f3f0c5bc3d4e1cd1f2396b33bd5b87291f72013a98b319c130b451
Matiex
2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91
Matiex
36e5646b2622d4c47947fa54a8f35c1c9d91db60ce3116e352f9f93b8a9f3ada
Matiex
4249d6f93c374bf9199c33bbc49f57c1d1dd983e8c6356b5ed8739d326683c77
Matiex
5f829ed079ce3010fb99eca5ee356e2ffc5ab62cedfb2683ac5ac76a66fb3ed1
Matiex
8620f0e60b7c414b8b95ebf9b20e1315e74833abc55cf7bf8b3abca5e5d81ad4
Matiex
908959fae28ad03836fb12b94a9a2f80981ec15f6481c230b9108f097edeb176
Matiex
9dc8d8533e87fe22f98fb67f8705e14e93a8eeb5da355dc15251e03837334162
Matiex
d8c07fc0cc1addc3f25623ac872703d2c10ae5e8fadc7370e13b4162e063a376
Matiex
f428cda5f99c3961bb5532cd38f6c512cffb2a6dfc30865897e52d838c7cfef2
Matiex
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200804-6ega6hjk8a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Modifies service
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/1973b3eff839047a3a75d58777161e58b49fbbbd9255966bd74add7a93507bc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

rar 4feebde6967128bd3d1e0d3c19e9508cf5314c521fce66a6aa3c79f4802223cb

Matiex

Executable exe 1973b3eff839047a3a75d58777161e58b49fbbbd9255966bd74add7a93507bc3

(this sample)

  
Dropped by
MD5 3fe12264c89022d8a2efe2a93bb9145c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38841/
  
Dropped by
SHA256 4feebde6967128bd3d1e0d3c19e9508cf5314c521fce66a6aa3c79f4802223cb

Comments