MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64c935f1295d858c75da3c49fa35d153d6d0b738576cde789b60a84d48d5b409. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64c935f1295d858c75da3c49fa35d153d6d0b738576cde789b60a84d48d5b409
SHA3-384 hash: a5498a0a0e8365f916b2b740e29cdc2356e8d14a1506d10b9110da0bf49afbf6691cc31fbbce349d050608e7d8d2ecbf
SHA1 hash: 815b3e8e88a90c58c8bbf5402ae84fd547d0e0ff
MD5 hash: 88f61122c9f29f86891f51d71fb11b5e
humanhash: berlin-nebraska-berlin-emma
File name:ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:245'760 bytes
First seen:2020-08-04 15:06:13 UTC
Last seen:2020-08-04 15:56:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:D6kceCFgfiybATXLCL2pVfDcd7ACF/uww+mtfAIrRuw+mqv9j1MWLQXmsolVMSX:jCFgb0mLwf4dMA/ujtooDAOS
Threatray 34 similar samples on MalwareBazaar
TLSH 9B34E6E0B740C065D8AB9679853BDAA36533A25E9C68890D3DC5FF0B7D3238704279DB
Reporter James_inthe_box
Tags:exe Matiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38802/
Detection(s):
SecuriteInfo.com.FileRepMalware.8971.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a window
Reading critical registry keys
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Enabling autorun
Enabling autorun by creating a file
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/409655
Signature
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257096 Sample: ZoekingAnatco LLC Order 2 P... Startdate: 04/08/2020 Architecture: WINDOWS Score: 92 55 api.telegram.org 2->55 59 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->59 61 Yara detected Matiex Keylogger 2->61 63 May check the online IP address of the machine 2->63 65 6 other signatures 2->65 7 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 2 5 2->7         started        11 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 2->11         started        13 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 5 2->13         started        15 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 5 2->15         started        signatures3 process4 file5 35 ZoekingAnatco LLC ...ecification_pdf.exe, PE32 7->35 dropped 37 ZoekingAnatco LLC ...exe:Zone.Identifier, ASCII 7->37 dropped 39 ZoekingAnatco LLC ...ication_pdf.exe.log, ASCII 7->39 dropped 67 Creates an undocumented autostart registry key 7->67 17 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 15 2 7->17         started        21 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 7->21         started        23 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 11->23         started        25 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 11->25         started        27 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 11->27         started        29 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 2 13->29         started        31 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 13->31         started        33 ZoekingAnatco LLC Order 2 Procurement And Specification_pdf.exe 2 15->33         started        signatures6 process7 dnsIp8 41 checkip.dyndns.org 17->41 51 3 other IPs or domains 17->51 53 2 other IPs or domains 23->53 43 checkip.dyndns.org 29->43 45 216.146.43.70, 49738, 49739, 49741 DYNDNSUS United States 29->45 47 checkip.dyndns.org 33->47 49 192.168.2.1 unknown unknown 33->49 57 Tries to steal Mail credentials (via file access) 33->57 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64c935f1295d858c75da3c49fa35d153d6d0b738576cde789b60a84d48d5b409/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 15:06:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtetl4jjlwcyy5o2hre7unorkplnbnzyk5wn46e3mcue2sgvwqeq._file
Verdict:
suspicious
Similar samples:
00c60b988e29ea74c08f5e0be5d8189bad4cd3c2d7973d06ac7cc87fe65a6870
Matiex
345f9fe448241c80424ef0480515898ddbb13369d8a959e6917d3219e73bfca8
Matiex
55add5e5138bf35c9ef1a148b681358e4731131a72be0ebed59a28e7f7fd7eaf
Matiex
6269fd417f93e7c0d7cab576b35dc3b6f6a58c0f04e75533bad84987c228f0e6
Matiex
75fa551eec71d6d8b9817266813715c2bbb7a537005587f9f1e0d058a05febc6
Matiex
9b281a8220a6098fefe1abd6de4fc126fddfa4f08ed1b90d15c9e0514d77e166
Matiex
af665b25b8506408fc9764859ec6bc30b9560d484280d8d115e3e06d4bb973d1
Matiex
c194e82e8a3ada40421b28e668c9135f09f9336732dc31053fc0cebf7be97564
Matiex
e7d2deba4fccbea79ffa209ebe0ce49f98aecfb340c8d6ec3ea1773cb12cb07e
Matiex
fbc9106506d47f39fddb3a48693e9b3eb80f400d6c273d1e08ecc7ef417f9352
Matiex
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200804-mzdhyelsf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Drops startup file
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Modifies WinLogon for persistence
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64c935f1295d858c75da3c49fa35d153d6d0b738576cde789b60a84d48d5b409

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/38802/

Comments