MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8a6818ebadd26de05a88a3938a3fc3ee593184be5448af728f5ff07e7ca2ddc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: b8a6818ebadd26de05a88a3938a3fc3ee593184be5448af728f5ff07e7ca2ddc
SHA3-384 hash: 036e50e1a559ed14ff1edea8c5726c29c2ffa7e244cc68ad82ad5414fd8e9b609027c44d75befc3caa767535ef1b5dc4
SHA1 hash: ff5fa39d9302c64669c65f37547915b4252f42ba
MD5 hash: 7ad2834ccb90213af7c5c4411eb04253
humanhash: missouri-five-wolfram-wolfram
File name:INVOICE.PDF.exe
Download: download sample
Signature Matiex
File size:794'624 bytes
First seen:2020-07-31 08:38:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd44fc7474cd1f02fae5c94314314eb4
ssdeep 12288:4esfUazLqCwtZKGdotXPk0XvuZFuj905RzZZaGkzlDajDEV9C:4zsEQD2Pk60A8Nfmxi4C
TLSH 88F47C22B2D04832C3231A7D8F5B976C6D3ABE532D25AAC66BF51C4C5F396407936393
Reporter @abuse_ch
Tags:exe Matiex


Twitter
@abuse_ch
Malspam distributing unidentified malware:

HELO: saturn2.communilink.net
Sending IP: 203.124.10.244
From: Acount Director <ronny.yu@trust-link.com.hk>
Subject: Proforma Invoice
Attachment: INVOICE.PDF.z (contains "INVOICE.PDF.exe")

Intelligence


File Origin
# of uploads :
1
# of downloads :
31
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Result
Threat name:
Matiex
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sigma detected: Suspicious Double Extension
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.FormBook
Status:
Malicious
First seen:
2020-07-31 02:11:00 UTC
AV detection:
14 of 31 (45.16%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx spyware
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Reads user/profile data of local email clients
UPX packed file
UPX packed file
Threat name:
Tinba
Score:
1.00

Yara Signatures


Rule name:win_matiex_keylogger_v1
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

Executable exe b8a6818ebadd26de05a88a3938a3fc3ee593184be5448af728f5ff07e7ca2ddc

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments