MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40
SHA3-384 hash: 0b9066080a056b842eed03c4681c53762c094aa0716416fb71eb11899e789881f4582dc0f07b00bbdb8ef8de1b475d22
SHA1 hash: 2473039c333fcc52d6dd060b7c1d30631553bfd7
MD5 hash: 43fca1d8939949f3e3757f87360fd983
humanhash: sodium-freddie-two-leopard
File name:INV#3390876214_GU74-1.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:1'050'808 bytes
First seen:2020-10-14 15:03:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:fvBTBxNYtFP2jVgGG390wqF/Vd6FmQT3ej3TKS:jkwVKcb61EuS
Threatray 31 similar samples on MalwareBazaar
TLSH D3257AA4754F6CC8DA7B427C09C2E0B38EF535622350F65B1CE456DBCEA10653B8BC9A
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing Matiex:

HELO: atl4mhob24.registeredsite.com
Sending IP: 209.17.115.121
From: info <info@echoproducts.com>
Reply-To: info <info@echoproducts.com>
Subject: Fw: Shams Inv Confirmation INV#3390876214_GU74-1
Attachment: INV3390876214_GU74-1.IMG (contains "INV#3390876214_GU74-1.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70834/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/491168
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298064 Sample: INV#3390876214_GU74-1.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 80 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected Matiex Keylogger 2->24 26 2 other signatures 2->26 7 INV#3390876214_GU74-1.exe 2->7         started        process3 signatures4 28 Hides threads from debuggers 7->28 30 Injects a PE file into a foreign processes 7->30 10 timeout.exe 1 7->10         started        12 INV#3390876214_GU74-1.exe 7->12         started        14 WerFault.exe 20 3 7->14         started        16 INV#3390876214_GU74-1.exe 7->16         started        process5 process6 18 conhost.exe 10->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 19:07:41 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kevs6h2lmwmtbeakxtepkhixl2emqgygig3ukctgdc3xqsh2hnaa._file
Verdict:
unknown
Similar samples:
19ea2b24f4d65b8169f982300901dba2253a880e3bd3f07dfcf933c0fe67a139
Matiex
263c44c0debf596d893d64e491c6ba5f31ccc06171fdd41abff109788a05ccec
Matiex
4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f
Matiex
4bf5091bc067f8255252ad26fb03b715301433af9334dd100b9b6586983979f0
Matiex
4ef4b992bece8ea1963a7cfb7eb66970890c65f13ecb6cad17097bc364a4e0d0
Matiex
5b92d7f869973b50de0c707ce58afacd6f1202364283c7dffa6ffd79a41a93eb
Matiex
6dbd3f42bf990db55372e1e01a3ddb4dbbdf3051fa01492bca882dbc023bb71a
Matiex
6fa3091f305d9f040aca294e296e92c3590ce397bbf650ee9f26e3bc744d1f6a
Matiex
bb3f58303f485aae5008474b5728f5f5dddea88b517835da3e402e0cafa53253
Matiex
c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a
Matiex
+ 21 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
spyware stealer keylogger family:matiex
Link:
https://tria.ge/reports/201014-vdlyvngc6e/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40
MD5 hash:
43fca1d8939949f3e3757f87360fd983
SHA1 hash:
2473039c333fcc52d6dd060b7c1d30631553bfd7
Link:
https://www.unpac.me/results/1f25567a-ae14-4cf1-bc29-6fff973802fa/
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/1f25567a-ae14-4cf1-bc29-6fff973802fa/
SH256 hash:
28508444ad570f83901e49c27d840126f314bfaf46bb8de0b673c5aee3d73ffa
MD5 hash:
30608644bf7aa34d11d37e66c3554b7a
SHA1 hash:
8e3eff96a2070b9a1cd07fc13176f013dcb7c518
Link:
https://www.unpac.me/results/1f25567a-ae14-4cf1-bc29-6fff973802fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

img 9ff047b1f3fdd19a29b1bc6639fdee89037d1ffdda63aedfb819bc9804632423

Matiex

Executable exe 512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40

(this sample)

  
Dropped by
MD5 ac1a65c9d1b72af15dda0465f5b7a48b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70834/
  
Dropped by
SHA256 9ff047b1f3fdd19a29b1bc6639fdee89037d1ffdda63aedfb819bc9804632423

Comments