MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4524f74c75340e0761a5e4e0f3c070fb96a364de054fead9c96c8ee8f4f81f0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4524f74c75340e0761a5e4e0f3c070fb96a364de054fead9c96c8ee8f4f81f0a
SHA3-384 hash: 5a23266085d31fd5761a3704c2d47ea76bcdf83d67e9bae06aba1b398922268b588cb53c8d40ae82e5d28f7b3cc7d64f
SHA1 hash: b3c4734cbc3846304647fbf6854f6cbb3c0ab635
MD5 hash: bbebe99bf36cb3dc4c3c37a9487468ac
humanhash: montana-leopard-winner-ten
File name:TNT E-Invoice Consignment Delivey Notification_pdf.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:410'624 bytes
First seen:2020-07-31 15:10:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:g3aJkbyUz3pLxwpy6kmy6k1y6kVy6kMy6k0Vy6key6kS2AZ:gNmUzpxOy6kmy6k1y6kVy6kMy6k0Vy6d
Threatray 53 similar samples on MalwareBazaar
TLSH 259439F067448C96D5AF6978C83656B32D63A54F9F34804C389ABF0B7D3238A8857877
Reporter James_inthe_box
Tags:exe Matiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36606/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Threat name:
AgentTesla Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/406323
Signature
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AgentTesla
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4524f74c75340e0761a5e4e0f3c070fb96a364de054fead9c96c8ee8f4f81f0a/
Threat name:
ByteCode-MSIL.Trojan.Genasep
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 15:10:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iuspotdvgqhaoynf4tqphqdq7olkgzg6avh6vwojnshor5hyd4fa._file
Verdict:
unknown
Similar samples:
01c35d1439c515026131906eb33bc1db24f75344621af5b0550f3190bdc306e4
Matiex
0cb8bcdae311f7d03af421adc9cfbe59614da294951de41ad59d2a42ab7630b9
Matiex
137b5dc137f3f0c5bc3d4e1cd1f2396b33bd5b87291f72013a98b319c130b451
Matiex
2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91
Matiex
61d9ac86c9e84f051340bf2adedaa4eb4fc7960e01f8a00d66d2ebd4201489e2
Matiex
7b63fe3a66c0833d20f06690f55fc6d6d6f337c3c3ced53076a498d6ae1556be
Matiex
8620f0e60b7c414b8b95ebf9b20e1315e74833abc55cf7bf8b3abca5e5d81ad4
Matiex
b72a41cdaa8d248aa607caa1c8e4b467d8c2dccbfc0bff04edf918e932854463
Matiex
dd780d46887a6d0abe23b50529aab25de2a5ed452ae9feba3dfbe3e6cdff7c22
Matiex
fd443146a204defbec7fec9e24c97cd70e2eba3d8bac15a1f792b32d5cd456e9
Matiex
+ 43 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware persistence
Link:
https://tria.ge/reports/200731-t9l5tqyjq2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4524f74c75340e0761a5e4e0f3c070fb96a364de054fead9c96c8ee8f4f81f0a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/36606/

Comments