MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67
SHA3-384 hash: fb7984d4e195ee391285d9a924bd1068b4488a4f08fe2626cc48f2bf268ee7af2a9be8df74bb99c6abb9617554aa8d27
SHA1 hash: 66e38e05ecedec2b960f00c8642e7b989b548fce
MD5 hash: 07d4f464ef34129d8fa754f8fc5b7218
humanhash: fourteen-harry-diet-stream
File name:PICTURE‮GEPJ.SCR
Download: download sample
Signature Matiex
Create hunting rule
File size:171'445 bytes
First seen:2020-10-07 04:46:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 3072:Sz+92mhTMMJ/cPiq5bVizDzte3s9idpz9GmeCLW8TDaES70twO:Sz+92mhAMJ/cPl3iz/OdxjFDaU
Threatray 37 similar samples on MalwareBazaar
TLSH 1DF3D013B7C5007AE66222302EBE3B5BD67CFC3469B9E50EE755360D3A71492851BB23
Reporter abuse_ch
Tags:Matiex scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cosmo.securesvr.net
Sending IP: 139.99.69.157
From: Numbafox-KFT <numbaf@yahoo.com>
Subject: New Order!
Attachment: PICTURE‮GEPJ.SCR

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68735/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Launching a process
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Result
Threat name:
AgentTesla Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483576
Signature
Antivirus detection for dropped file
Disables the Windows task manager (taskmgr)
Disables Windows system restore
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AgentTesla
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 15:48:58 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l73eo3c6wnmhvqoxwavh4bhmidwaybuwxc6xyoruwdk7rhjmvjtq._file
Verdict:
malicious
Similar samples:
17a9fa26f553c56d5b03921045d684a49177b8620eb3313dfcf13d269789c4ae
Matiex
5e7621b7f875f9e6c730454d916a2bc2acb7d8b1fbc1dbe7cdb1917d42f1590b
Matiex
5ee970db11a1dbfeff58b1f1206045d141022d6d396d50ba571910522a2c106d
Matiex
6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da
Matiex
702221e0753dc7bdae96ab782721c0e3a58d5d51d15f74af56c662f92f120125
Matiex
87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71
Matiex
a3c44389aac31e62cd3267525d4cfebbd65c32fbaec918500b606d67b0ea62d8
Matiex
a6bf564665f281e7226d137f8da8692436c44edb6ab7881cab31282ffd6649ad
Matiex
c015de0626ba91b194a47d0c8d76594e1bddadae9d9a6891b26ff7c2bc0fade3
Matiex
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
Matiex
+ 27 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
stealer keylogger family:matiex
Link:
https://tria.ge/reports/201007-d6hk33el5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67
MD5 hash:
07d4f464ef34129d8fa754f8fc5b7218
SHA1 hash:
66e38e05ecedec2b960f00c8642e7b989b548fce
Link:
https://www.unpac.me/results/2dc01d12-1dfe-4abb-871f-190331f4e410/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

Executable exe 5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68735/

Comments