MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02d200c2f53874fe8aeb1df2de6f1c46c507b808b976a6f93cf1c541b7b9ecc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02d200c2f53874fe8aeb1df2de6f1c46c507b808b976a6f93cf1c541b7b9ecc6
SHA3-384 hash: 0bd73a39f2f2e5daa147eff0cf58ddbc0d18ddaa7537abdde36a0c0345bbe2c105cf5da2ac7b2544dcf4c5e84ca07a64
SHA1 hash: 3a521d479251ff636f2407c4c8c2bb98431256a9
MD5 hash: bc62454368eb0d7ac53203b5b448f483
humanhash: golf-ink-twelve-july
File name:490877008990.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:541'696 bytes
First seen:2020-10-09 15:43:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c2123b55b1da3ef56598042753458327 (3 x Matiex, 2 x AgentTesla)
ssdeep 6144:27igDERmRBKWeeM8LEE1VvLtvrMJW9vvt52/CUbPpQu0bX:BWRBKWDDYE7vLtTMJWb50CQhQue
Threatray 4 similar samples on MalwareBazaar
TLSH FEB45BFBAA09924FD36B5135F740B2A658EAB13F48E0C2EFFC695E0913B806507453D6
Reporter abuse_ch
Tags:exe Matiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69585/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
Creating a window
Sending a UDP request
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486905
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295918 Sample: 490877008990.exe Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 32 Sigma detected: Capture Wi-Fi password 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Matiex Keylogger 2->36 38 5 other signatures 2->38 9 490877008990.exe 1 2->9         started        process3 process4 11 490877008990.exe 1 9->11         started        14 conhost.exe 9->14         started        16 MSBuild.exe 9->16         started        signatures5 48 Writes to foreign memory regions 11->48 50 Allocates memory in foreign processes 11->50 52 Injects a PE file into a foreign processes 11->52 18 MSBuild.exe 15 2 11->18         started        process6 dnsIp7 26 checkip.dyndns.org 18->26 28 checkip.dyndns.com 131.186.161.70, 49729, 49730, 49732 DYNDNSUS United States 18->28 30 2 other IPs or domains 18->30 40 Tries to steal Mail credentials (via file access) 18->40 42 Tries to harvest and steal ftp login credentials 18->42 44 Tries to harvest and steal browser information (history, passwords, etc) 18->44 46 Tries to harvest and steal WLAN passwords 18->46 22 netsh.exe 3 18->22         started        signatures8 process9 process10 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02d200c2f53874fe8aeb1df2de6f1c46c507b808b976a6f93cf1c541b7b9ecc6/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 14:33:43 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aljabqxvhb2p5cxldxzn43y4i3cqpoaixf3kn6j46hcudn5z5tda._file
Verdict:
unknown
Similar samples:
182bb780697bc253a6186a077bd17cd952abf8f823ab8c87205eed570c9865d3
Matiex
9637aff986e8795e82308aa077349b80989b6b0ca89973e209d3dee98da1e464
Matiex
f23176b88ae0da50473883837d6368b64c86e2f7c5a7cc3b59566f461318d99f
Matiex
f532c606947a2abffb614405ed58ec56bbba9b54f71b1bb00c824e46442d90a7
Matiex
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
stealer keylogger family:matiex spyware
Link:
https://tria.ge/reports/201009-8zas66jhve/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
02d200c2f53874fe8aeb1df2de6f1c46c507b808b976a6f93cf1c541b7b9ecc6
MD5 hash:
bc62454368eb0d7ac53203b5b448f483
SHA1 hash:
3a521d479251ff636f2407c4c8c2bb98431256a9
Link:
https://www.unpac.me/results/df96fda3-442f-47a3-a25c-5e688a0cad7e/
SH256 hash:
9ce3998d86e59ffe8a34464e2c7f0ad613f5fe296cb771c49cbeeca9fa3de59c
MD5 hash:
0f27dc6dd32c341a7b7c4f14bb47ebe9
SHA1 hash:
21ccfecc990a48426f4f3c5b6036971916c37c1b
Link:
https://www.unpac.me/results/df96fda3-442f-47a3-a25c-5e688a0cad7e/
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/df96fda3-442f-47a3-a25c-5e688a0cad7e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02d200c2f53874fe8aeb1df2de6f1c46c507b808b976a6f93cf1c541b7b9ecc6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69585/

Comments