MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 301994867e5c9fc93d3245e9736f95e9939af96d0a60d7b01ab22d50f6bf40d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 301994867e5c9fc93d3245e9736f95e9939af96d0a60d7b01ab22d50f6bf40d0
SHA3-384 hash: 069407653ee773aaa2dd74e5430f47a527f08a8ca662cae026aa8dc8317347042d6455362aeb763efdaa0a07ac12ed21
SHA1 hash: 8729e1834549808a2aeff2282389d6824848214e
MD5 hash: 0343e00e87bd5dd10cbef80152e17f2d
humanhash: freddie-seventeen-mockingbird-aspen
File name:Payment receipt.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:687'104 bytes
First seen:2020-08-13 08:51:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0aa3dcbdd0727cba5785897870b1d0ce (14 x AgentTesla, 6 x Loki, 3 x Formbook)
ssdeep 12288:mkTCaGA3RukdYUSTkq31mZqB5ke5C5y3ptXeiA+RfsvrD3:V0CEU+DTk0lp5z1sjr
Threatray 2'068 similar samples on MalwareBazaar
TLSH 31E47D62B2E0483ED126153D8F3B5FF49C25BE512A2459462BF41C4F7F3B68D382629E
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing Matiex:

HELO: longmao.com
Sending IP: 45.138.172.137
From: 925 Silver Jewelry<david@longmao.com>
Subject: Payment receipt
Attachment: Payment receipt.iso (contains "Payment receipt.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44987/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Mal.Generic-S.5549.16169.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Reading critical registry keys
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/425529
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/301994867e5c9fc93d3245e9736f95e9939af96d0a60d7b01ab22d50f6bf40d0/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 05:33:51 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gamzjbt6lsp4spjsixuxg34v5gjzv6lnbjqnpma2wiwvb5v7idia._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
097a63aa1a0f265f5ae61c25a5bf1c33f6d376969efea2e5beea2a33d20cf169
Matiex
15436f93c1a24aa8c11611baa33bb6645ae25a24f26979492917060e70a4e219
Matiex
42cca3ae2e4d971b4bd7acc8b205c22ba675aa08b760aac654514c5578d74dc2
Matiex
5360904dc2aaf53e90213fb3a0dfc6a4b7bcc163d41a0a48b6e2071af10890f6
Matiex
6d203c979eb61c198f5276e1af514c55f99a29ef59643633da6216ee3283bb0c
Matiex
9d839079365af7cef63e51d9b4e8f751272cb753852dc67092ae84dde4bf1778
Matiex
a32c890b528201772e1214ada37cf8eb9b00ac778773b52b48d92607911d2433
Matiex
a97aec67e2a556ec45ea8aa3db146d119d39b14486db55ad5b930f8295eccfae
Matiex
bb94a881c3aa20c54450ee7d907eae152aa667a7a3280f7b00b44051d92322f5
Matiex
dab4d45b3d041bec38bb40ef34ec38a6efee4c8e582c9032f22d5bca9115c189
Matiex
+ 2'058 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx spyware
Link:
https://tria.ge/reports/200813-7j3pw42mtj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/301994867e5c9fc93d3245e9736f95e9939af96d0a60d7b01ab22d50f6bf40d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

iso 8a31a2dc9f96ebdaaaa0d1881df4daafcabc8f8ba300a59e0fa5bd2bb8abcd8a

Matiex

Executable exe 301994867e5c9fc93d3245e9736f95e9939af96d0a60d7b01ab22d50f6bf40d0

(this sample)

  
Dropped by
MD5 91c1ceccd0c448f182c3f64b8b2c29ff
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44987/
  
Dropped by
SHA256 8a31a2dc9f96ebdaaaa0d1881df4daafcabc8f8ba300a59e0fa5bd2bb8abcd8a

Comments