MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matrix


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6
SHA3-384 hash: 187ad098894c3c9ae6e4bac1808ed85c600b187e9e6a57329b3612b7674826ebc68254b0bf91086d6ae5ff6f33b3393c
SHA1 hash: f8ce09a61e7b131c1d48e621b65a4789f7d5feed
MD5 hash: 504890ff01be54dfa0ce0b92624614a2
humanhash: pluto-march-single-delaware
File name:5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.bin
Download: download sample
Signature Matrix
Create hunting rule
File size:1'235'456 bytes
First seen:2020-10-15 17:15:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ca3b1af31abe1beced65a635aa0c47a3 (4 x Matrix)
ssdeep 24576:bxcxFP+OOobRioyJR5ezu413hJE5cxoBcYE41iZb0ZtA0fSWbasM:GfzBE6xs16gQ0fd9
Threatray 51 similar samples on MalwareBazaar
TLSH BF457D23B34860BEC46A0A3645B7CD54793FB760A9178C1767F0492CEF695813E3AA4F
Reporter Arkbird_SOLG
Tags:Matrix Ransomware


Avatar
ArkbirdDevil
Pattern -> [SantaGman@criptext.com].[$Filename].SNT2

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Detection:
VSSDestroy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71535/
Detection(s):
Win.Ransomware.Matrix-7530993-0
Create hunting rule

PUA.Win.Adware.Dealply-6840263-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
DNS request
Creating a file
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %AppData% directory
Changing a file
Modifying an executable file
Moving a file to the Program Files subdirectory
Moving a file to the %AppData% subdirectory
Creating a file in the Program Files subdirectories
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Launching a process
Network activity
Moving a file to the Program Files directory
Connection attempt
Creating a file in the Program Files directory
Creating a file in the mass storage device
Stealing user critical data
Encrypting user's files
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492803
Signature
Antivirus / Scanner detection for submitted sample
Changes the wallpaper picture
Drops batch files with force delete cmd (self deletion)
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Wscript called in batch mode (surpress errors)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298853 Sample: 7RR6UWAoLz.bin Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Antivirus / Scanner detection for submitted sample 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 3 other signatures 2->86 9 7RR6UWAoLz.exe 502 2->9         started        14 cmd.exe 2->14         started        process3 dnsIp4 74 gmn.timerz.org 199.59.242.150, 49725, 49857, 50127 BODIS-NJUS United States 9->74 64 C:\Users\user\Desktop\VAMYDFPUND.docx, data 9->64 dropped 66 C:\Users\user\Desktop\...\QNCYCDFIJJ.pdf, data 9->66 dropped 68 C:\Users\user\Desktop\LSBIHQFDVT.pdf, data 9->68 dropped 70 79 other files (64 malicious) 9->70 dropped 92 Drops batch files with force delete cmd (self deletion) 9->92 94 Tries to harvest and steal browser information (history, passwords, etc) 9->94 96 Writes many files with high entropy 9->96 98 3 other signatures 9->98 16 cmd.exe 1 9->16         started        19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        23 4 other processes 9->23 file5 signatures6 process7 file8 76 Uses cmd line tools excessively to alter registry or file data 16->76 26 reg.exe 1 16->26         started        39 3 other processes 16->39 29 cmd.exe 19->29         started        41 3 other processes 19->41 78 Wscript called in batch mode (surpress errors) 21->78 31 wscript.exe 1 21->31         started        33 conhost.exe 21->33         started        62 C:\Users\user\Desktop62Wdg3ilW.exe, PE32 23->62 dropped 35 conhost.exe 23->35         started        37 conhost.exe 23->37         started        43 3 other processes 23->43 signatures9 process10 signatures11 90 Changes the wallpaper picture 26->90 45 19U5Sggj.exe 29->45         started        48 cmd.exe 31->48         started        50 cmd.exe 31->50         started        process12 file13 72 C:\Users\user\AppData\...\19U5Sggj64.exe, PE32+ 45->72 dropped 52 19U5Sggj64.exe 45->52         started        56 conhost.exe 48->56         started        58 schtasks.exe 48->58         started        process14 file15 60 C:\Windows\System32\drivers\PROCEXP152.SYS, PE32+ 52->60 dropped 88 Sample is not signed and drops a device driver 52->88 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6/
Threat name:
Win32.Ransomware.Matrix
Create hunting rule
Status:
Malicious
First seen:
2020-05-24 16:38:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
41 of 46 (89.13%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
Matrix
4f4037898d619b3b5f1c9fedd3e3940f46d39a57db2cbf9b4d8238d587fd7168
Matrix
517e1659c9d9ee4de266b3ade2d06965b670d17082ae2c2c97b4c694bb29152a
Matrix
593d037e9fd467ebe80cb0ff28d22be2dbc0fdaad4d626ee2ad30707d8ea23da
Matrix
69cd9793d80b5e5d7f5bf377822dc573c84ef939ede4eedd892fd1b757435bff
Matrix
9282d409b92e1ebf58829283933edea243f7ccf3b68456139986c7cb5949522d
Matrix
d00ee0e6eab686424f8d383e151d22005f19adbda5b380a75669629e32fe12a6
Matrix
d5fce47c9f644b0cd9d392a93e30bbfdc9368d06250263a200708da9f80e4048
Matrix
f6d89ff139f4169e8a67332a0fd55b6c9beda0b619b1332ddc07d9a860558bab
Matrix
f9a19835601dc81b94557b0452cbde314a8f856e9d6371b825f39b627dba2949
Matrix
+ 41 additional samples on MalwareBazaar
Result
Malware family:
matrix
Create hunting rule
Score:
  10/10
Tags:
upx spyware ransomware discovery persistence family:matrix evasion
Link:
https://tria.ge/reports/201015-hpdyl18dx2/
Behaviour
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Interacts with shadow copies
Drops file in Program Files directory
Modifies service
Sets desktop wallpaper using registry
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
Modifies extensions of user files
Sets service image path in registry
UPX packed file
Deletes shadow copies
Modifies boot configuration data using bcdedit
Matrix Ransomware
Unpacked files
SH256 hash:
5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6
MD5 hash:
504890ff01be54dfa0ce0b92624614a2
SHA1 hash:
f8ce09a61e7b131c1d48e621b65a4789f7d5feed
Detections:
win_matrix_ransom_auto
Create hunting rule
Link:
https://www.unpac.me/results/18e1239e-cc79-4a3b-8269-3f8efcd9523f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://github.com/StrangerealIntel/DailyIOC/blob/master/2020-10-15/MATRIX/RAN_Matrix_Sep_2020_1.yar
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/71535/

Comments