MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cd96a2654e91bcc1de8b58be478885306f814da7b0c28d55f159a8735833c2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Matiex

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	0cd96a2654e91bcc1de8b58be478885306f814da7b0c28d55f159a8735833c2b
SHA3-384 hash:	b6cb329b2b569086ea2fcf6164ada81e8f17f781d5f5e6a2ae7a4576f983cdaa7de9689d4926f0418c9e099e6d6e2062
SHA1 hash:	b2cc4bb5696df68719a5cd459c1bab81c7c736c4
MD5 hash:	72dfd1d599cce598e8b87177b6d1073b
humanhash:	whiskey-mirror-robert-winner
File name:	2fqBWgZQeAgkbCH.exe
Download:	download sample
Signature	Matiex Create hunting rule
File size:	1'205'248 bytes
First seen:	2022-01-25 08:27:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:lxpi3uP0z0m8n5p7lV68B/qupp59BAfdmvrIRc4:lxBP40mC7lkQ/XpAfQcRc
Threatray	1'333 similar samples on MalwareBazaar
TLSH	T14F4501147BB0C762C17A5BF814F220148BF9352AA63EE5D92CCB52DB4BB9F109461F1B
Reporter	abuse_ch
Tags:	exe Matiex

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/222216/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Launching the process to change network settings

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61efb4a0f81da814afa2b20b/reports/257d6280-a507-41ec-8aa9-72228590639a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/6d6c0bc1-951d-486b-880d-c64717fc1076

Result

Threat name:

Matiex

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/926849

Signature

Found malware configuration

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Beds Obfuscator

Yara detected Matiex Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0cd96a2654e91bcc1de8b58be478885306f814da7b0c28d55f159a8735833c2b/

Threat name:

ByteCode-MSIL.Trojan.Injuke

Status:

Malicious

First seen:

2022-01-25 08:28:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=btmwujsu5en4yhpiwwf6i6eikmdpqfg2pmgcrvk7cwnionmdhqvq._file

Verdict:

malicious

Matiex

32de63f0ac703c7d654d2676af0b2b3fa08dced0bc918318a9d642a696a6a91c

Matiex

4c65f92cd878c051338bda2ff251c8714d6b7ae2bcea06e73bc954661e993571

Matiex

7693a7f9092aeaa07efdd546e161292a50dc75f10f9dee46eab2893b49551604

Matiex

888a3f974e9662ba8d21a3346882b1934e6f22ee38a38a84223a54f3bcbc6649

Matiex

dd182afe8c89ecfb8d2d449f5e700d7ac09b979315238abf0cee1cdd65d6c27f

Matiex

f827a4622e16afa2f9c9940c7b24d4c81ec206195307a7b5a0761ec735714926

Matiex

fe7db020dc9a216c417340950ed826de77d3fe968ab9b16f5ddb98e08dcb0eee

Matiex

+ 1'323 additional samples on MalwareBazaar

Result

Malware family:

matiex

Score:

10/10

Tags:

family:matiex collection keylogger spyware stealer suricata

Link:

https://tria.ge/reports/220125-kc1v5acbaq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Matiex

Matiex Main Payload

suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram

Malware Config

C2 Extraction:

https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933

Unpacked files

SH256 hash:

649572083f88add6ccdb7b410ff54c87cfddc696077b2617a94e795bde6a9b39

MD5 hash:

f947b35b5e499763bf2ad0bae7af0255

SHA1 hash:

fad8bf27812a9b3ce6c86449532108c3498669a3

Link:

https://www.unpac.me/results/2c8af1d7-5c94-48a6-9ccd-7fe577bfbabd/

SH256 hash:

8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1

MD5 hash:

efdf2c54a74297c24bc73285376c432b

SHA1 hash:

564f25afb6c5599cdcd5fafaff32c1475e581af4

Link:

https://www.unpac.me/results/2c8af1d7-5c94-48a6-9ccd-7fe577bfbabd/

SH256 hash:

c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81

MD5 hash:

eebb807f8a5a2d47c89648e4fb907f89

SHA1 hash:

35e8cbe02f0ce21492333604056e15bdbc923227

Link:

https://www.unpac.me/results/2c8af1d7-5c94-48a6-9ccd-7fe577bfbabd/

SH256 hash:

4a2b5135cc2698e050ea3086aee8d33d26ab1f637567e870f0487e21b8a8827f

MD5 hash:

ef6110703328bac5a8e57185e44880b3

SHA1 hash:

30be1e2d8d345b8d7517322ebdb5b0d57337ecd9

Link:

https://www.unpac.me/results/2c8af1d7-5c94-48a6-9ccd-7fe577bfbabd/

SH256 hash:

0cd96a2654e91bcc1de8b58be478885306f814da7b0c28d55f159a8735833c2b

MD5 hash:

72dfd1d599cce598e8b87177b6d1073b

SHA1 hash:

b2cc4bb5696df68719a5cd459c1bab81c7c736c4

Link:

https://www.unpac.me/results/2c8af1d7-5c94-48a6-9ccd-7fe577bfbabd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/0cd96a2654e91bcc1de8b58be478885306f814da7b0c28d55f159a8735833c2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	MALWARE_Win_Matiex Create hunting rule
Author:	ditekSHen
Description:	Matiex/XetimaLogger keylogger payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_matiex_keylogger_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/222216/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample