MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6438b80d095ec295859cb2b1c099f1ae2ac0485705a447b991e84b551e40047e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6438b80d095ec295859cb2b1c099f1ae2ac0485705a447b991e84b551e40047e
SHA3-384 hash: 850f80d2776f62a8fbd9666d4b5eac92c733f691a1569d5f48003e88500e572317d2a1fc17ab7b176c62ea2211da993f
SHA1 hash: cd2a44a2bae5b250be394f21c947014f2c6d1aab
MD5 hash: c25c9e302e3bbc669e210c961e271f2e
humanhash: utah-burger-oxygen-fifteen
File name:DHL Shipment Info.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:620'544 bytes
First seen:2020-09-01 05:07:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:WtiUAU/OqnUoKr6Dcsik5Sxlv5lZqHXwnL8ROcDU5YjBJ5eCCa0W:WtDAjqUtWAsik5klBlZegnvyEYjP5N
Threatray 30 similar samples on MalwareBazaar
TLSH F4D4DF202668CF22C9E98AF8D8C976FF06359C97D905F24749857D8E31B2788FB406D7
Reporter abuse_ch
Tags:DHL exe Matiex


Avatar
abuse_ch
Malspam distributing Matiex:

HELO: mta1.donyc3.chereemail.com
Sending IP: 134.209.43.91
From: DHL Customer Support <dhlexpress@webemailoffice.com>
Reply-To: info@marketinfosales.com
Subject: DHL Shipment Notification
Attachment: DHL Shipment Info.zip (contains "DHL Shipment Info.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53801/
Detection(s):
SecuriteInfo.com.W32.Trojan-7.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/456154
Signature
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6438b80d095ec295859cb2b1c099f1ae2ac0485705a447b991e84b551e40047e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-30 23:38:27 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mq4lqdijl3bjlbm4wky4bgprvyvmascxawsepomr5bfvkhsaar7a._file
Verdict:
unknown
Similar samples:
55f2ad6469b116fdf4180faa49d9212d9c31e41ed7d0457ae0b641ebad3f0a4c
Matiex
5f43ed1dd1031fde4fb86f92ed0f656ca4a468ba5a987d6c76b332914dee7d51
Matiex
75a6581d60198c4910011fdb2c732679635b35ed28db20f9d3483c89efb26db6
Matiex
c0cb41070b74fa0e592f10c6d5312e55009f1cc884bd1c242591bc75c5f9e5eb
Matiex
c176d7b838d9146e64732d143cda3c07f4c76b693ab940ca045a51d07c52faae
Matiex
cfefe5d485164b99beeb1aea8faca9e61f8a53d4b742ebf733922a0896511b50
Matiex
d171c033a6424ac3d0fc71f4323c1c340256c02228d4fb0c49124af4abab6be0
Matiex
edb014655bf6c7464325b44856019f5fb1aedb94fe9ed988faa0c77d82875d3c
Matiex
f544548656da95993af2c115a9af5eb499741c1c9914ef556bbd599391ae769e
Matiex
fb51d5ec0f3c5b0ea82d4a37cd9a53e070efaaa4f067ea89301c089e0dea8a76
Matiex
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200901-yxbpbplhfx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Modifies service
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/6438b80d095ec295859cb2b1c099f1ae2ac0485705a447b991e84b551e40047e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

zip a4c832d2df84b3c31d5d1daf2f02c3e48e9f4b3b6f5d2032bb2fc425c662de66

Matiex

Executable exe 6438b80d095ec295859cb2b1c099f1ae2ac0485705a447b991e84b551e40047e

(this sample)

  
Dropped by
MD5 f03f3613e088aed817c2085cea98a629
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53801/
  
Dropped by
SHA256 a4c832d2df84b3c31d5d1daf2f02c3e48e9f4b3b6f5d2032bb2fc425c662de66

Comments