MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 630bb247d9c8f85f918a274ef04c5c5df8347176444b9e0222b68648ca999ccb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 630bb247d9c8f85f918a274ef04c5c5df8347176444b9e0222b68648ca999ccb
SHA3-384 hash: e9b684fb8f9067dc186fa9732011ff92cadadffc4dad52c9c77db7d180916e4a395dfbf6208fe69b6cc928b8a8e5b6a2
SHA1 hash: 9e51312eba1d12c9b141700d50db9349f349620b
MD5 hash: ad19d31c1acf47a74573444337f81c1c
humanhash: comet-south-hamper-hot
File name:7605122309.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:1'159'168 bytes
First seen:2020-08-03 12:53:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:qiHAgbCa8sGQTjmWLTMvQbetOaDUTqPKKwmijSiAN+yBbA:DHX8kTaWLYBjU0J+yp
Threatray 837 similar samples on MalwareBazaar
TLSH 6E3513379E9BF414E1D4C17CE0A002DDE1B75C5D9D5A369DB9923B081932B0DBB23A87
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: jmigroup-bd.com
Sending IP: 203.188.252.51
From: Steven Matile <shameem.atpl@jmigroup-bd.com>
Reply-To: chukisa22@gmail.com
Subject: RE: TOUR PACKAGE REQUEST
Attachment: env4ok 1.iso (contains "7605122309.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37815/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Pretoria.1.10176.20129.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
45 / 100
Link:
https://www.joesandbox.com/analysis/407897
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256180 Sample: 7605122309.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 45 28 Yara detected Matiex Keylogger 2->28 30 .NET source code contains very large array initializations 2->30 7 7605122309.exe 7 2->7         started        11 pcalua.exe 1 1 2->11         started        13 pcalua.exe 1 2->13         started        process3 file4 24 C:\Users\user\sogh.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->26 dropped 34 Drops PE files to the user root directory 7->34 15 cmd.exe 1 7->15         started        17 sogh.exe 2 7->17         started        signatures5 process6 process7 19 reg.exe 1 1 15->19         started        22 conhost.exe 15->22         started        signatures8 32 Creates an autostart registry key pointing to binary in C:\Windows 19->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/630bb247d9c8f85f918a274ef04c5c5df8347176444b9e0222b68648ca999ccb/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 12:55:08 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmf3er6zzd4f7emke5hpatc4lx4di4lwirfz4arcw2dersuzttfq._file
Verdict:
unknown
Similar samples:
1973b3eff839047a3a75d58777161e58b49fbbbd9255966bd74add7a93507bc3
Matiex
27fdb772f1161e6e143fccb5ce3e4d5240896f7f9a7d21d6daefd9501dc1d81f
Matiex
89b4121aae370dd8b644fc0e426e24d17087b25e1646aaf02e56b147627efd16
Matiex
a0ecaf6fdc15c7c67f3f14860daf7b01763fd6884df5a908ee0593915cc5929c
Matiex
a9892834c6f030fd7a292b213a39270e2fc991b6c9287fff73b540dd2b36e290
Matiex
b46bd25fca309781558509bdb4f408b085d83c74e71adc5de4eeb349bc8c4c7a
Matiex
cbea7c520c29190723567b1bdce1c76ae7052a5ca84c42163c67419ad1ce7200
Matiex
cf8207bd6ead9bcadcaaaad2940956f75d90a67daf6ddb8dc1907900645a5f69
Matiex
de44283f7ccd395563808b6959085c30fad50e32d8a016b201c492f1f92e41d6
Matiex
f724bcf4c7048f177dcf17bd2b68822f75b9ff41957f026d7ceb6ff0082a25b0
Matiex
+ 827 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200803-spqngba2q2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/630bb247d9c8f85f918a274ef04c5c5df8347176444b9e0222b68648ca999ccb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

iso 7886d3b7f41a5caeff352a0e574e7c6dfcd89a6888f8860d8af873548b5b543e

Matiex

Executable exe 630bb247d9c8f85f918a274ef04c5c5df8347176444b9e0222b68648ca999ccb

(this sample)

  
Dropped by
MD5 95e054a70008196b02e2cfbe4480c3fe
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37815/
  
Dropped by
SHA256 7886d3b7f41a5caeff352a0e574e7c6dfcd89a6888f8860d8af873548b5b543e

Comments