MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55968032b0bdbbb56eae5b171f12f12cb72020301efaf43014599ac9d7d8341d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55968032b0bdbbb56eae5b171f12f12cb72020301efaf43014599ac9d7d8341d
SHA3-384 hash: 774fc04eceb8fef89bb61bb6d9f02254ca829efc5d95c41e53b2f785e2b74c67d4316b71425939dcb3ae60b50c5c5053
SHA1 hash: 4a1e134e12fa3ad512aa93ed91ab092c189381fb
MD5 hash: a9c4a016d08ff940dfc11c0742131c79
humanhash: king-helium-oregon-east
File name:a9c4a016d08ff940dfc11c0742131c79.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:433'664 bytes
First seen:2020-12-11 08:18:59 UTC
Last seen:2021-02-17 13:51:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:PtQKo1WzbldZ9sgWLmYngxAvhUPULXqA5v0BEHu1yU93B+w4Qk088rXV8igyZbQM:l/om0rijxehUPoXTRHDUdkGrl80cu
TLSH 4E94E03221457B25E77D4FB0D02124040F746F2B6635E65EACC510DE2ABF730BAA6EA3
Reporter abuse_ch
Tags:exe Matiex

Intelligence

File Origin
# of uploads :
3
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
XC7eCddpJGSBLnWFD.exe
Verdict:
Malicious activity
Analysis date:
2020-12-11 13:52:55 UTC
Tags:
evasion trojan 404keylogger stealer
Link:
https://app.any.run/tasks/22c0768c-ed49-4c2d-b599-a088800343c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/107727/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.15556.2022.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/561587
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55968032b0bdbbb56eae5b171f12f12cb72020301efaf43014599ac9d7d8341d/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2020-12-10 03:13:22 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwliamvqxw53k3volmlr6exrfs3saibqd35pimaulgnmtv6ygqoq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201211-hkyh4d9npj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
55968032b0bdbbb56eae5b171f12f12cb72020301efaf43014599ac9d7d8341d
MD5 hash:
a9c4a016d08ff940dfc11c0742131c79
SHA1 hash:
4a1e134e12fa3ad512aa93ed91ab092c189381fb
Link:
https://www.unpac.me/results/c13a20fe-085a-4d26-9935-5ba5d1aa4d06/
SH256 hash:
cf39a7a3c34d16e464f7a7968196dfe005d50814aa4309e56353d4d734b450a2
MD5 hash:
2ef3c66d14697a5dfb20f5e7b2d19f65
SHA1 hash:
0fad08a6f92cecc1f73794ad7c0eb02ef912cfcd
Link:
https://www.unpac.me/results/c13a20fe-085a-4d26-9935-5ba5d1aa4d06/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/c13a20fe-085a-4d26-9935-5ba5d1aa4d06/
SH256 hash:
8fe97e80cf3123f2bb560d2daf7c02bc8c31b87de64766f86e858c1b5eeef91e
MD5 hash:
348a615cf9f510a45a72bf8cc0c210ea
SHA1 hash:
6fcdbe7bd03a3250889e42a86de93bdc7c473782
Link:
https://www.unpac.me/results/c13a20fe-085a-4d26-9935-5ba5d1aa4d06/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55968032b0bdbbb56eae5b171f12f12cb72020301efaf43014599ac9d7d8341d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Matiex

Executable exe 55968032b0bdbbb56eae5b171f12f12cb72020301efaf43014599ac9d7d8341d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/906417/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107727/

Comments