MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f724bcf4c7048f177dcf17bd2b68822f75b9ff41957f026d7ceb6ff0082a25b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f724bcf4c7048f177dcf17bd2b68822f75b9ff41957f026d7ceb6ff0082a25b0
SHA3-384 hash: de5ddb657fdb11fa14b8810324be382b1f1f8eebda3bd5eb356a0f6f68dfb60f64a56d8e02559ecc15f99b16f2eaa924
SHA1 hash: fbb4747ba4a4fd8b83f2df8b41cfe85ae5662515
MD5 hash: dc1b2578f1fcbaaf4e9cbfc52586edc8
humanhash: saturn-winner-winter-salami
File name:PO 6522301.PDF.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:306'176 bytes
First seen:2020-08-08 09:04:19 UTC
Last seen:2020-08-08 10:09:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:3yv6f9qRpy6PdZ0Fz+ty0KX3dMbaSndNrMuZepoXYjPgiWpiA:3yv6fAz0Fujc3HSnrM0eprgrpiA
Threatray 86 similar samples on MalwareBazaar
TLSH 875402855BBD5FB2CAFD2BF5A4DD304007BC99D66293F3542E9935FA34A232006C13A6
Reporter abuse_ch
Tags:exe Matiex Yahoo


Avatar
abuse_ch
Malspam distributing Matiex:

HELO: sonic313-15.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.133.125
From: Admin Service <enjazgroup@yahoo.com>
Reply-To: Admin Service <enjazgroup@yahoo.com>
Subject: Purchase Order
Attachment: PO 6522301.PDF.rar (contains "PO 6522301.PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42169/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.30717.8920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for analyzed file
Reading critical registry keys
Launching the process to change network settings
Moving of the original file
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/415829
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Moves itself to temp directory
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260157 Sample: PO 6522301.PDF.exe Startdate: 08/08/2020 Architecture: WINDOWS Score: 100 42 Sigma detected: Capture Wi-Fi password 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 Yara detected Matiex Keylogger 2->46 48 12 other signatures 2->48 8 PO 6522301.PDF.exe 7 2->8         started        process3 file4 28 C:\Users\user\AppData\...\WHvHKIJfGSg.exe, PE32 8->28 dropped 30 C:\Users\...\WHvHKIJfGSg.exe:Zone.Identifier, ASCII 8->30 dropped 32 C:\Users\user\AppData\Local\...\tmpAFB2.tmp, XML 8->32 dropped 34 C:\Users\user\...\PO 6522301.PDF.exe.log, ASCII 8->34 dropped 50 Injects a PE file into a foreign processes 8->50 12 PO 6522301.PDF.exe 15 5 8->12         started        16 schtasks.exe 1 8->16         started        18 PO 6522301.PDF.exe 8->18         started        20 2 other processes 8->20 signatures5 process6 dnsIp7 36 checkip.dyndns.org 12->36 38 smtp.yandex.ru 77.88.21.158, 49729, 49730, 49731 YANDEXRU Russian Federation 12->38 40 3 other IPs or domains 12->40 52 Moves itself to temp directory 12->52 54 Tries to steal Mail credentials (via file access) 12->54 56 Tries to harvest and steal ftp login credentials 12->56 58 Tries to harvest and steal WLAN passwords 12->58 22 netsh.exe 3 12->22         started        24 conhost.exe 16->24         started        signatures8 process9 process10 26 conhost.exe 22->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f724bcf4c7048f177dcf17bd2b68822f75b9ff41957f026d7ceb6ff0082a25b0/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-08 01:32:38 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=64slz5ghashro7opc66sw2ecf523t72bsv7qe3l45nx7acbkewya._file
Verdict:
unknown
Similar samples:
322eeeb2b916b9cbced49b43ad579f100ede0dd79ae6cb115f764084ed0a3627
Matiex
50529809a9b92f2b353e94a27b850f7be76f820c9a413a5968d686026936c133
Matiex
5092d9ebc85e835f7ef16d20b935cf58cc52715c0cfdb88a2723d3a34f9b1526
Matiex
58322659acfc21d063a2acb0d64ea2846d21ab2e256b0ae4f83646ff03bf2387
Matiex
63f3c0c57169df7444e25fcfcc6626bc14d6e85dea12a1b6bb137e780f71cbb5
Matiex
983642426c54efb09b590e6f4344483d07b99a9e3a2551d504d4293183d701c3
Matiex
a990373e6225384bd1bab3441dc0cb881f1e03f51f83f7923ca6c9ff228bee5c
Matiex
acf7a212615c205ab87f28d19c97bc50fb93d8568f3960b06d2174d1c28f355e
Matiex
b3349406861e76bfb84f4757a646c3fe94eb5e1cd27abeeffa48aabb6c8fa4d5
Matiex
c8c4219d39faa8c727e9905b5156f4bc71c4bfbb4c9495c8a80be7020cd4380f
Matiex
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200808-9zj1kmbgle/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Modifies service
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f724bcf4c7048f177dcf17bd2b68822f75b9ff41957f026d7ceb6ff0082a25b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

rar 6df680b0ce18173aec143502e2a4e8fa219ebe4ac4f42c639e64ff8a1afdd129

Matiex

Executable exe f724bcf4c7048f177dcf17bd2b68822f75b9ff41957f026d7ceb6ff0082a25b0

(this sample)

  
Dropped by
MD5 1feb87a1cde3b978bddc82f2bc762443
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42169/
  
Dropped by
SHA256 6df680b0ce18173aec143502e2a4e8fa219ebe4ac4f42c639e64ff8a1afdd129

Comments