MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20e1f222ebae73bc71db60552d3733124fc5a2ce835ca2dde406c34217e6a061. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: 20e1f222ebae73bc71db60552d3733124fc5a2ce835ca2dde406c34217e6a061
SHA3-384 hash: 1dfbfb8132beb81203f4d5e78b2ed28217a2408a48e23f84e69d40523ed19f60a07cecdb33442ef84efa050ecb13aea5
SHA1 hash: 5591bfdbad8f70d177b2889f0242d858fafc7750
MD5 hash: 1275d29213c2580894371739beb16148
humanhash: nine-one-fish-georgia
File name:PAYMENT ADVICE.pdf.exe
Download: download sample
Signature Matiex
File size:403'456 bytes
First seen:2020-07-31 13:44:34 UTC
Last seen:2020-07-31 15:08:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:hHuZEaQPMFGEZuaAS29WTnq+Y79R4yRI0YXgmf:hHu6aQPuGIgS28TnqX79CyRI0YXg
TLSH 3984BE4CB0DA651BF412317F9FF9819BCEAAF56F2683422B12B5259790787086EC0F71
Reporter @James_inthe_box
Tags:exe Matiex

Intelligence


File Origin
# of uploads :
3
# of downloads :
46
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Geo location:
IT Italy
Volume:
Low
Geo location:
CH Switzerland
Volume:
Low
Geo location:
NL Netherlands
Volume:
Low
Vendor Threat Intelligence
Gathering data
Result
Threat name:
AgentTesla Matiex
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2020-07-31 12:03:46 UTC
AV detection:
24 of 31 (77.42%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Threat name:
Kryptik
Score:
1.00

Yara Signatures


Rule name:win_matiex_keylogger_v1
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments