MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0024c03b214910f21e99a8444a63a33f07ee1fb54aa63a9d88e4cc97e00d0bb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0024c03b214910f21e99a8444a63a33f07ee1fb54aa63a9d88e4cc97e00d0bb7
SHA3-384 hash: e0210970700485b372db2ee9220236b3d6c4e4b1432fd79247bb212836bd242d929aabd8c54d9d1f7f09f11daea74900
SHA1 hash: 21adecb7f3e7c00e17a3a078881371af1bd6d6f3
MD5 hash: e7af6cf663f5f1dd585d35f6b68dd51a
humanhash: golf-thirteen-arizona-iowa
File name:Matiexgoods.bat
Download: download sample
Signature Matiex
Create hunting rule
File size:69'688 bytes
First seen:2021-03-09 11:42:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:5dULqG4WRsIi1I9IrVKomdkata3LZJjKhO:DG4+i1I9SZJjl
Threatray 108 similar samples on MalwareBazaar
TLSH E8635355B3805E73C4FB1C7668B733983F2B279216CE018C782C116279F2A4F8A9DE56
Reporter abuse_ch
Tags:bat Matiex


Avatar
abuse_ch
Malspam distributing Matiex:

HELO: lucky1.263xmail.com
Sending IP: 211.157.147.133
From: 张贵强 <sale20@chinachuangxin.net>
Subject: Valid Prices
Attachment: Valid Prices.z (contains "Matiexgoods.bat")

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Matiexgoods.bat
Verdict:
Malicious activity
Analysis date:
2021-03-09 10:47:02 UTC
Tags:
evasion trojan matiex
Link:
https://app.any.run/tasks/589748ce-4722-44d4-b876-f3a39a311ddc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123164/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.1663.4081.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Sending a UDP request
Deleting a recently created file
Launching a process
Creating a file in the Windows subdirectories
Creating a window
Running batch commands
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
DNS request
Sending an HTTP GET request
Creating a file
Moving a recently created file
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Setting a single autorun event
Blocking the User Account Control
Setting a global event handler for the keyboard
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/632659
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 365296 Sample: Matiexgoods.bat Startdate: 09/03/2021 Architecture: WINDOWS Score: 100 60 checkip.dyndns.org 2->60 62 freegeoip.app 2->62 64 checkip.dyndns.com 2->64 80 Multi AV Scanner detection for domain / URL 2->80 82 Sigma detected: Capture Wi-Fi password 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 7 other signatures 2->86 9 Matiexgoods.exe 23 14 2->9         started        14 explorer.exe 2->14         started        16 explorer.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 78 liverpoolofcfanclub.com 104.21.31.39, 49725, 49726, 49732 CLOUDFLARENETUS United States 9->78 52 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 9->52 dropped 54 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 9->54 dropped 56 C:\Users\user\AppData\...\hvzbbi5f.newcfg, XML 9->56 dropped 58 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 9->58 dropped 100 Creates an autostart registry key pointing to binary in C:\Windows 9->100 102 Adds a directory exclusion to Windows Defender 9->102 104 Hides threads from debuggers 9->104 106 Drops PE files with benign system names 9->106 20 RegSvcs.exe 9->20         started        24 cmd.exe 9->24         started        26 powershell.exe 16 9->26         started        34 4 other processes 9->34 108 Drops executables to the windows directory (C:\Windows) and starts them 14->108 28 svchost.exe 14->28         started        30 svchost.exe 16->30         started        32 WerFault.exe 18->32         started        file6 signatures7 process8 dnsIp9 66 checkip.dyndns.org 20->66 68 smtp.privateemail.com 199.193.7.228, 49764, 49766, 49767 NAMECHEAP-NETUS United States 20->68 76 2 other IPs or domains 20->76 88 Tries to steal Mail credentials (via file access) 20->88 90 Tries to harvest and steal ftp login credentials 20->90 92 Tries to harvest and steal browser information (history, passwords, etc) 20->92 94 Tries to harvest and steal WLAN passwords 20->94 36 netsh.exe 20->36         started        38 conhost.exe 24->38         started        40 timeout.exe 24->40         started        42 conhost.exe 26->42         started        70 liverpoolofcfanclub.com 28->70 96 System process connects to network (likely due to code injection or exploit) 28->96 72 liverpoolofcfanclub.com 30->72 74 192.168.2.1 unknown unknown 30->74 98 Multi AV Scanner detection for dropped file 30->98 44 AdvancedRun.exe 34->44         started        46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        signatures10 process11 process12 50 conhost.exe 36->50         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2021-03-09 06:58:41 UTC
AV detection:
21 of 47 (44.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aasmaozbjeipehuzvbceuy5dh4d64h5vjktdvhmi4tgjpyanbo3q._file
Verdict:
malicious
Similar samples:
0b1fbc81d9d9e685307e80d20afe4b01c6538b903b77136b0d1db2486fe8c6e8
Matiex
0c15356ace86634e28b9423de203663878b44e4db268d176536c3976ad832d84
Matiex
26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
Matiex
2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12
Matiex
5abccf199b1e503db7c810a9dcbe1310b6a6b78441b091dae6f45c92d3c3add1
Matiex
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
Matiex
a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
Matiex
adbfaef61c436d79f0ab2c890570f73ae979609feafd21d9932e86641aac05dd
Matiex
bc58f1f37527b2256089b3fedbf5044ad396b267a762ca7e7f6fa7c81f76259b
Matiex
ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
Matiex
+ 98 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
family:matiex evasion keylogger persistence stealer trojan
Link:
https://tria.ge/reports/210309-8wa8nzlvdx/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Matiex
Matiex Main Payload
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
0024c03b214910f21e99a8444a63a33f07ee1fb54aa63a9d88e4cc97e00d0bb7
MD5 hash:
e7af6cf663f5f1dd585d35f6b68dd51a
SHA1 hash:
21adecb7f3e7c00e17a3a078881371af1bd6d6f3
Link:
https://www.unpac.me/results/2c18703d-80e2-4f3c-88ab-508440d67c7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0024c03b214910f21e99a8444a63a33f07ee1fb54aa63a9d88e4cc97e00d0bb7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_Matiex
Create hunting rule
Author:ditekSHen
Description:Matiex/XetimaLogger keylogger payload
Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip cd63f226472363f922bbdd9d21c1821c0b97a12b9b369e53d482d0c412df63af

Matiex

Executable exe 0024c03b214910f21e99a8444a63a33f07ee1fb54aa63a9d88e4cc97e00d0bb7

(this sample)

  
Dropped by
MD5 833afa81bb417fd53807d5bc23a743b6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/123164/
  
Dropped by
SHA256 cd63f226472363f922bbdd9d21c1821c0b97a12b9b369e53d482d0c412df63af

Comments