MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c56e5f1863de0fa8fa4f2104de8d14a695eaa7e61158a71aeabef051cc025b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Matiex

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	4c56e5f1863de0fa8fa4f2104de8d14a695eaa7e61158a71aeabef051cc025b1
SHA3-384 hash:	b7018929636472058cb61b9d5518908bd429e20db0fa4ea378916c724049a478f11b9ba83390d1a4d20f16db6860a348
SHA1 hash:	e2af3fe3b2ff9ed604ea6ca40fc2a7e18fef7f64
MD5 hash:	e403224181d35975467c43df34caaf3b
humanhash:	pip-winter-juliet-oregon
File name:	kart bilgisizzz.exe
Download:	download sample
Signature	Matiex Create hunting rule
File size:	560'128 bytes
First seen:	2020-12-28 10:37:15 UTC
Last seen:	2020-12-28 12:37:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c316b1c9b53ace86b3252d02ce4c4299 (6 x Matiex, 2 x SnakeKeylogger, 1 x RemcosRAT)
ssdeep	12288:5LX6/1gxHW6MEGsOSe/YThPXfZjk2r6KXuBAMsFVFqlJRy:9K/us3WOqhzXuyMsFjQHy
Threatray	188 similar samples on MalwareBazaar
TLSH	AFC423F78582D9F0C382D0FAD982E7F28A1497291AF04537BE34D723D9ED7A16887418
Reporter	abuse_ch
Tags:	exe geo Matiex TUR

abuse_ch

Malspam distributing Matiex:

HELO: hosted-by.rootlayer.net
Sending IP: 45.137.22.52
From: QNB Finansbank E-Ekstre<ekstre@eekstre.qnbfinansbank.com>
Subject: CardFinans KOBİ Visa Kasım ayi ekstreniz.
Attachment: kart bilgisizzz.z (contains "kart bilgisizzz.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

381

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

kart bilgisizzz.exe

Verdict:

Malicious activity

Analysis date:

2020-12-28 10:40:38 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/50be3308-7168-466a-9626-c81fa7c3f771

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Generic.mg.e403224181d35975.263.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Unauthorized injection to a recently created process

Launching a process

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Launching the process to change network settings

Sending a UDP request

Creating a window

Enabling autorun by creating a file

Result

Threat name:

Matiex

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/570672

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Yara detected Matiex Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c56e5f1863de0fa8fa4f2104de8d14a695eaa7e61158a71aeabef051cc025b1/

Threat name:

Win32.Infostealer.Stelega

Status:

Malicious

First seen:

2020-12-28 08:56:23 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jrlol4mghxqpvd5e6iie32grjjuv5kt6mekyu4novpxqkhgaewyq._file

Verdict:

unknown

Result

Malware family:

matiex

Score:

10/10

Tags:

family:matiex keylogger spyware stealer

Link:

https://tria.ge/reports/201228-v432lscgyn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Matiex

Matiex Main Payload

Unpacked files

SH256 hash:

e0b3bd3f2fadd3ef560c7dc1c13e1f50351e8df61139eb8e6367badf7689e71b

MD5 hash:

f615aa95251fc14492843942a588614c

SHA1 hash:

296669e81c271762d5068f8a9ecbb354ffc335c9

Link:

https://www.unpac.me/results/67b0f7a0-9f88-436f-b46e-8e264deed8b3/

SH256 hash:

c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81

MD5 hash:

eebb807f8a5a2d47c89648e4fb907f89

SHA1 hash:

35e8cbe02f0ce21492333604056e15bdbc923227

Link:

https://www.unpac.me/results/67b0f7a0-9f88-436f-b46e-8e264deed8b3/

SH256 hash:

e670cd560486450410e439faacce6a514538c13c41a8b46a689249801c34d4a8

MD5 hash:

5cc48b521df80be43d7a184d8171a841

SHA1 hash:

8a99036cffb906cbb20795beb2c543ea3399aabb

Link:

https://www.unpac.me/results/67b0f7a0-9f88-436f-b46e-8e264deed8b3/

SH256 hash:

4c56e5f1863de0fa8fa4f2104de8d14a695eaa7e61158a71aeabef051cc025b1

MD5 hash:

e403224181d35975467c43df34caaf3b

SHA1 hash:

e2af3fe3b2ff9ed604ea6ca40fc2a7e18fef7f64

Link:

https://www.unpac.me/results/67b0f7a0-9f88-436f-b46e-8e264deed8b3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4c56e5f1863de0fa8fa4f2104de8d14a695eaa7e61158a71aeabef051cc025b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_Matiex Create hunting rule
Author:	ditekshen
Description:	Matiex keylogger payload

Rule name:	win_matiex_keylogger_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

zip 3667609f0c24ab6f0f752272d3912979fb5a589c0e067d09279947d5852adfd6

Matiex

exe 4c56e5f1863de0fa8fa4f2104de8d14a695eaa7e61158a71aeabef051cc025b1

(this sample)

Dropped by

MD5 a2fba1dec44bfa5b15766e018b35869c

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 3667609f0c24ab6f0f752272d3912979fb5a589c0e067d09279947d5852adfd6

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample