MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e78765ba856759e65007d23fd518d450599157e5a4ce5fe014051a19715eb97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e78765ba856759e65007d23fd518d450599157e5a4ce5fe014051a19715eb97
SHA3-384 hash: 0ab09cf9f5bdef9852f6d8889b0a689c588a16cf4ae4391646372aeed1c89859288b1d706b4e5690f9fdcf0a9864a831
SHA1 hash: 90916a17264beab847d84ab3a98c0890c12e0d8b
MD5 hash: 748c53abb96a6a1bf99d6094c24a83f8
humanhash: low-hotel-wyoming-freddie
File name:PO No.179989 - Hörmann Mexico S.a.de C.v..exe
Download: download sample
Signature Matiex
Create hunting rule
File size:945'152 bytes
First seen:2021-07-06 15:28:13 UTC
Last seen:2021-07-06 17:18:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:DdJ7+TLr6NsBrD/F08Sxyen7r5tec8OT+L9lsL5jgaz6wOo3Ncknaq1qHI/fJhxc:Dd9+T/6N4YXf5tzh2shGo3isawxE
Threatray 10 similar samples on MalwareBazaar
TLSH E315AE7661778F91EEBFC7784335261C4FE9B376D34BF6782C9460994480F814AA2A23
Reporter abuse_ch
Tags:exe Matiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO No.179989 - Hörmann Mexico S.a.de C.v..exe
Verdict:
Malicious activity
Analysis date:
2021-07-06 15:45:08 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/d92aab4f-c816-449a-a884-8a3e30f352ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169990/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.5656.16601.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0002fddb-e444-47f7-b519-f09f8288f82e
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812377
Signature
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Beds Obfuscator
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e78765ba856759e65007d23fd518d450599157e5a4ce5fe014051a19715eb97/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 15:25:08 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hz4hmw5ikz2z4ziapur72umniuczsfl6ljgol7qbibi2dfyv5olq._file
Verdict:
unknown
Similar samples:
1b22054e5e50c8a9323d4bd781fbeaff2611f65299b321fe2a1dc855d70c8904
Matiex
266b2cec76af399c55968fbd2a859d9d16de69f66eb8daf6cc782f9c82ae2aee
Matiex
595dbce05040931410ecbf367e111d112b83cbbd6373ebe934e869140fd0ceb0
Matiex
8435458c2aef3a87cff8443f42436fcac89c82fdeeb0d92a74a5e446710f70f6
Matiex
8df6cbe2123dfeac80e2af6a18935574bab1dbf3c2573cca5900bf202415eb2e
Matiex
93fa16fb44a1c4bc7fe5ff20de97329824929e679d50aa2fc19c9688bfe95708
Matiex
a8dc35cbb631cc9dd30939228b3a946c4d056d575b01d31d60a0804cec40dc9a
Matiex
aaacdc757d39cd544288dcc7d9fc635dfc4942ed360b63c7be0d79525697fe30
Matiex
ea35c04468d68c2fde827d915e0ffac88a6e01249e3196148d1681c8ad91e9a9
Matiex
faddb41690e2a06a400248d03aebc186f54cc62f522e54c21e482d7bd165c720
Matiex
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
family:matiex keylogger stealer
Link:
https://tria.ge/reports/210706-hkl73jygge/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/e2fe0685-3748-4d2a-a801-94fe9ab42691/
SH256 hash:
2ed7045c9f6b7dc272bd2710975e8173284ce2df57f47bef916acc87666adbdb
MD5 hash:
e7e68b84a11e5292620abd1a3b4fbaf1
SHA1 hash:
8452a768bb15e919f2eead3d1be3db7c7b0cde13
Link:
https://www.unpac.me/results/e2fe0685-3748-4d2a-a801-94fe9ab42691/
SH256 hash:
3d5e7ec1044089be3b5ddd61e4717979d680565a123f9e28542c3205d8effe9a
MD5 hash:
83414529ad68ade52a9ce9ffae635c03
SHA1 hash:
4d10396cb78f16782c69b18b2755c67bd1444910
Link:
https://www.unpac.me/results/e2fe0685-3748-4d2a-a801-94fe9ab42691/
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/e2fe0685-3748-4d2a-a801-94fe9ab42691/
SH256 hash:
3e78765ba856759e65007d23fd518d450599157e5a4ce5fe014051a19715eb97
MD5 hash:
748c53abb96a6a1bf99d6094c24a83f8
SHA1 hash:
90916a17264beab847d84ab3a98c0890c12e0d8b
Link:
https://www.unpac.me/results/e2fe0685-3748-4d2a-a801-94fe9ab42691/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/3e78765ba856759e65007d23fd518d450599157e5a4ce5fe014051a19715eb97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

Executable exe 3e78765ba856759e65007d23fd518d450599157e5a4ce5fe014051a19715eb97

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/169990/

Comments