MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Matanbuchus


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments

SHA256 hash: 2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4
SHA3-384 hash: 643d8392160936179fc470fec08c932a558b32831ef47e05fa5597fb76466d7ec486f7005d60f65a0a9d21593cd51583
SHA1 hash: b21482d1072e5cb65488f2c181f38c75d8c80dcd
MD5 hash: c0ee31bc6536ae8cb7e5d8809676920a
humanhash: saturn-seventeen-nevada-shade
File name:SCAN-068589.pdf.msi
Download: download sample
Signature Matanbuchus
File size:229'376 bytes
First seen:2022-06-16 18:19:40 UTC
Last seen:2022-06-17 11:18:14 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 3072:58Xa2c1oag7+aqKVIma2OGwFLOAL4/QUPL8gHtHdNMxOzXNcO2nB:L9oa1aq9oOGwFVL4/QUDDNHdOxOzd0n
TLSH T14C24124A33144934C11267382FABF7E647317CCD9E5B8A622297F32C2EB35A056635F4
Reporter @pr0xylife
Tags:matanbuchus msi signed Westeast Tech Consulting Corp.

Code Signing Certificate

Organisation:Westeast Tech Consulting, Corp.
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-18T00:00:00Z
Valid to:2023-05-11T23:59:59Z
Serial number: 061a27a3a3771bb440fc16cadf2675c4
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 9ed703ba7033af5f88a5f5ef0155adc41715d3175eec836822a09a93d56e4b7f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
5
# of downloads :
4'263
Origin country :
IE IE
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
Matanbuchus
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Signature
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Yara detected Matanbuchus
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 647225 Sample: SCAN-068589.pdf.msi Startdate: 16/06/2022 Architecture: WINDOWS Score: 64 35 Yara detected Matanbuchus 2->35 37 Uses known network protocols on non-standard ports 2->37 7 msiexec.exe 83 25 2->7         started        10 taskeng.exe 1 2->10         started        12 msiexec.exe 3 2->12         started        process3 file4 29 C:\Users\user\AppData\Local\...\main.dll, PE32 7->29 dropped 14 regsvr32.exe 7->14         started        16 wscript.exe 7->16         started        18 regsvr32.exe 10->18         started        process5 process6 20 regsvr32.exe 2 11 14->20         started        25 regsvr32.exe 18->25         started        dnsIp7 31 collectiontelemetrysystem.com 213.226.114.15, 443, 48195, 49179 RETN-ASEU Russian Federation 20->31 33 telemetrysystemcollection.com 20->33 27 C:\Users\user\AppData\Local\x86\5507.nls, PE32 20->27 dropped 39 System process connects to network (likely due to code injection or exploit) 20->39 41 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 20->41 file8 signatures9
Threat name:
Win32.Trojan.Matanbuchus
Status:
Malicious
First seen:
2022-06-16 18:20:08 UTC
File Type:
Binary (Archive)
Extracted files:
28
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Result
Malware family:
matanbuchus
Score:
  10/10
Tags:
family:matanbuchus loader
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Matanbuchus

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments