MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18d86210ca1721632ee4a17030313ca4c9f60aa0657d83a6cc576b9889558eef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18d86210ca1721632ee4a17030313ca4c9f60aa0657d83a6cc576b9889558eef
SHA3-384 hash: 0e9a981e3e1dac5e6642b2f466f32b5fb58f73e275e628ddc09a337e3a11f7b59115d0865761798e2d1f511cadf971a2
SHA1 hash: 97694934fc9e0caf9efb751e687ca7290f79ff2d
MD5 hash: e492155e4d4cab9522ef4144234c8069
humanhash: crazy-mango-oscar-stream
File name:Purchase_Order_11_19_20.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:732'672 bytes
First seen:2020-11-19 06:52:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28f23f3d8e8caef0d96e308e79b83dbf (1 x Matiex, 1 x AgentTesla, 1 x MassLogger)
ssdeep 12288:50pFV0qt+scDdRJp/C82sWzhB+6Nl+JaDHaBvDPtpv8o/qWmZ0g7z7o:5kks6BJWzPqJv9PrvxqWu0qz7o
Threatray 10 similar samples on MalwareBazaar
TLSH A5F4F13176D4D070C2E7073018FA9797E37D7D615BA69ACB67885F4E5A308C09B392A3
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing Matiex:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: purchasing.shipping@gcrieber.no
Subject: New purchase order No. 5000019156
Attachment: Purchase_Order_11_19_20.gz (contains "Purchase_Order_11_19_20.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Bang5mai-6804572-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Modifying an executable file
Unauthorized injection to a recently created process
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/542643
Signature
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320424 Sample: Purchase_Order_11_19_20.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 92 36 Multi AV Scanner detection for submitted file 2->36 38 May check the online IP address of the machine 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 Purchase_Order_11_19_20.exe 3 2->7         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 7->26 dropped 28 C:\...\2994a388d1d048dba54db2a714e9a29c.xml, XML 7->28 dropped 50 Detected unpacking (creates a PE file in dynamic memory) 7->50 11 Purchase_Order_11_19_20.exe 1 7->11         started        14 cmd.exe 1 7->14         started        16 Purchase_Order_11_19_20.exe 7->16         started        signatures5 process6 signatures7 52 Maps a DLL or memory area into another process 11->52 18 Purchase_Order_11_19_20.exe 15 2 11->18         started        22 conhost.exe 14->22         started        24 schtasks.exe 1 14->24         started        process8 dnsIp9 30 checkip.dyndns.org 18->30 32 checkip.dyndns.com 131.186.161.70, 49715, 49716, 49720 DYNDNSUS United States 18->32 34 2 other IPs or domains 18->34 44 Tries to steal Mail credentials (via file access) 18->44 46 Tries to harvest and steal ftp login credentials 18->46 48 Tries to harvest and steal browser information (history, passwords, etc) 18->48 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18d86210ca1721632ee4a17030313ca4c9f60aa0657d83a6cc576b9889558eef/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 06:53:04 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddmgeegkc4qwglxeufydamj4ute7mcvamv6yhjwmk5vzrckvr3xq._file
Verdict:
unknown
Similar samples:
04a3cf2c1316b5dd21365ac36bc970cc9b28514d42d41712c783345e07a99a07
Matiex
3b02adbda158a35f586aa1f17780dc8d5cd0404c864a16b8c6b5a8f2b02363f9
Matiex
5249e322b12bb4eac27d6358c19c5acfde591e04d061e94ac4df72db49dd8cd6
Matiex
8c27edb9a77712a4e13e8133f233ba34d7182e7823d0408fd12da11c91f94178
Matiex
bb21a5f1607c110559ca73cc8106f61313687e304b3c609b718580f647345fcc
Matiex
bde085b89e6e50618b1f38f6d889bf9554b11d0a08a82a315e0a66fec7718daf
Matiex
c4419fe8bcf0371cefb5b778b2600f307234493e02ce432aae1cc0a7d32e0711
Matiex
c9c6ab014615422f9d6def268a9c0c17172882d4319c3261c66341bf31ee1ba8
Matiex
cb02efcc2f6504dc44c9ea4ceb02879374d3e1995c4960a6f85914b03690d39a
Matiex
ed6182df3469dfdc4084aea0aca3714a90498401d608c7a0ab818329c42ab21f
Matiex
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201119-mjqrcb4cz2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
18d86210ca1721632ee4a17030313ca4c9f60aa0657d83a6cc576b9889558eef
MD5 hash:
e492155e4d4cab9522ef4144234c8069
SHA1 hash:
97694934fc9e0caf9efb751e687ca7290f79ff2d
Link:
https://www.unpac.me/results/6a25ba03-a40c-4266-966d-616d82ba26da/
SH256 hash:
801820e55ba48ed73d99d0c371cf36cb6510c7bfb65f269a02e9a949a8c9869b
MD5 hash:
0d5d70c59524bac1918ed5fdb39926cf
SHA1 hash:
38f0000fa1619c84e2ca57e2c6ca7fc77b3090ee
Link:
https://www.unpac.me/results/6a25ba03-a40c-4266-966d-616d82ba26da/
SH256 hash:
df9b6df980d92c238e9a11a6b1e3c3e3b9e62b41fa1944f9881aa49168ece553
MD5 hash:
37d78b29bae8d4e9c30451796004d19b
SHA1 hash:
f9dee65639ce088707419b2e55c8767c85c321ce
Link:
https://www.unpac.me/results/6a25ba03-a40c-4266-966d-616d82ba26da/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

zip 9d52c8bf2681f26a9942ff0ad4ea89eb87be69a86ea8fc5228eece4c127cdc06

Matiex

Executable exe 18d86210ca1721632ee4a17030313ca4c9f60aa0657d83a6cc576b9889558eef

(this sample)

  
Dropped by
MD5 cdc211338f75932b5c09553b331c0427
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9d52c8bf2681f26a9942ff0ad4ea89eb87be69a86ea8fc5228eece4c127cdc06

Comments