MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 624d8606b6fadc7aa8b9cbb72a12338fce28325f9bc849a78a5f91147f36c844. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 624d8606b6fadc7aa8b9cbb72a12338fce28325f9bc849a78a5f91147f36c844
SHA3-384 hash: 633754e59fa861584f84074d7e1f2e2b3d3b8ac5a5c80ed01ee8ee206f4f0dabc92a0c948f8d886df2c81874053dbfc7
SHA1 hash: 6f38750c285733a276e142449ccf1b7d34df0109
MD5 hash: c28eaefb9f817f6300d3b339cb078d04
humanhash: finch-utah-early-muppet
File name:mmmomoioo.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:557'056 bytes
First seen:2020-10-10 17:55:26 UTC
Last seen:2020-10-10 18:48:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2123b55b1da3ef56598042753458327 (3 x Matiex, 2 x AgentTesla)
ssdeep 6144:D7igDER8znLfvRHzM7+4dBbWTre+S7Of1VpM1LIKZGYE0FCHo:KsnhTM7+4dBbaK+S7OxM1RGgII
Threatray 7 similar samples on MalwareBazaar
TLSH 86C46BE0DA95876ADD0988F220E823EF01387879C47470DD6684CF1BB1646CA7B79F97
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.57.209
From: Leticia Cruz Gutierrez <sumintern@prodigy.net.mx>
Subject: ORDEN DE COMPRA
Attachment: mmmomoioo.zip (contains "mmmomoioo.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69755/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
Creating a window
Unauthorized injection to a system process
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487544
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/624d8606b6fadc7aa8b9cbb72a12338fce28325f9bc849a78a5f91147f36c844/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 20:18:52 UTC
AV detection:
39 of 48 (81.25%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjgymbvw7lohvkfzzo3suertr7hcqms7tpeetj4kl6iri7zwzbca._file
Verdict:
unknown
Similar samples:
02d200c2f53874fe8aeb1df2de6f1c46c507b808b976a6f93cf1c541b7b9ecc6
Matiex
182bb780697bc253a6186a077bd17cd952abf8f823ab8c87205eed570c9865d3
Matiex
3484fcffef25d70f380c755917a11ef9088839383359d40888704897c2b3c1b9
Matiex
90aa9f9ad74752d2965816d8d68399d2b1c4fdce28c2ca57753196b3a2d60b34
Matiex
9637aff986e8795e82308aa077349b80989b6b0ca89973e209d3dee98da1e464
Matiex
f23176b88ae0da50473883837d6368b64c86e2f7c5a7cc3b59566f461318d99f
Matiex
f532c606947a2abffb614405ed58ec56bbba9b54f71b1bb00c824e46442d90a7
Matiex
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
spyware stealer keylogger family:matiex
Link:
https://tria.ge/reports/201010-bd9xhez5e2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/99ed9d15-2b7e-4d05-9ca7-ddf38eca5064/
SH256 hash:
e19d013c0bacad97fae46d97a48491574ad5803d7ecd2b0d3a56449377d534a5
MD5 hash:
31d4d889bf384e86e630d5d173d1b2c4
SHA1 hash:
6307cd6ac2bfd9ef00794140643bc9530e0affb8
Link:
https://www.unpac.me/results/99ed9d15-2b7e-4d05-9ca7-ddf38eca5064/
SH256 hash:
624d8606b6fadc7aa8b9cbb72a12338fce28325f9bc849a78a5f91147f36c844
MD5 hash:
c28eaefb9f817f6300d3b339cb078d04
SHA1 hash:
6f38750c285733a276e142449ccf1b7d34df0109
Link:
https://www.unpac.me/results/99ed9d15-2b7e-4d05-9ca7-ddf38eca5064/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Zbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/624d8606b6fadc7aa8b9cbb72a12338fce28325f9bc849a78a5f91147f36c844

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

zip ccb31439442084b3d2f386d8868c7e3ebc10d78d67b3841daf7f8268f0ca8af5

Matiex

Executable exe 624d8606b6fadc7aa8b9cbb72a12338fce28325f9bc849a78a5f91147f36c844

(this sample)

  
Dropped by
MD5 a36cafe77b649ec9cbb99b9bd271955b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69755/
  
Dropped by
SHA256 ccb31439442084b3d2f386d8868c7e3ebc10d78d67b3841daf7f8268f0ca8af5

Comments