MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f8a9e60c3f540b692f2a5534e0fa022e44a87c8a8d67842ec6c7e5aa1de758a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f8a9e60c3f540b692f2a5534e0fa022e44a87c8a8d67842ec6c7e5aa1de758a
SHA3-384 hash: 426ef8dba96d1069fbecf230c69a365df171caf5edd156b388ce9d7470141d2943b54a0d3800898db7ca6520d6831823
SHA1 hash: b235f335469092700d4a9a8c5ab9c89c3ccffa75
MD5 hash: 851c76cce3869be0dc6e38e546b41508
humanhash: tennessee-golf-orange-ceiling
File name:Aralık ekstreniz.scr
Download: download sample
Signature Matiex
Create hunting rule
File size:1'477'632 bytes
First seen:2020-12-18 09:50:40 UTC
Last seen:2020-12-18 11:35:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:ZAIppbn1N1fvUEYdxfF9WSJxhn3nCkIwO1w04mL:ZAa5HTYDF9WS3hn3CkE4m
Threatray 83 similar samples on MalwareBazaar
TLSH A565AE143BD66719E23B9F758AD26045CBFAF6B76703E98F2CC103C90626E25CD61329
Reporter abuse_ch
Tags:geo Matiex scr TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: ekstre@eekstre.qnbfinansbank.com
Subject: CardFinans KOBİ Visa Aralık ayi ekstreniz.
Attachment: Aralık ekstreniz.zipx (contains "Aralık ekstreniz.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Aralık ekstreniz.scr
Verdict:
Malicious activity
Analysis date:
2020-12-18 10:11:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/03705ab4-8766-4459-9d0b-30ee7e53d966

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Matiex
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108373/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566183
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332173 Sample: Aral#U0131k ekstreniz.scr Startdate: 18/12/2020 Architecture: WINDOWS Score: 100 40 Sigma detected: Capture Wi-Fi password 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 12 other signatures 2->46 8 Aral#U0131k ekstreniz.exe 7 2->8         started        process3 file4 26 C:\Users\user\AppData\Roaming\oFlpLZq.exe, PE32 8->26 dropped 28 C:\Users\user\...\oFlpLZq.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmp275C.tmp, XML 8->30 dropped 32 C:\Users\...\Aral#U0131k ekstreniz.exe.log, ASCII 8->32 dropped 48 Injects a PE file into a foreign processes 8->48 12 Aral#U0131k ekstreniz.exe 15 2 8->12         started        16 schtasks.exe 1 8->16         started        18 Aral#U0131k ekstreniz.exe 8->18         started        signatures5 process6 dnsIp7 34 mail.zavidovici.ba 12->34 36 checkip.dyndns.org 12->36 38 4 other IPs or domains 12->38 50 Tries to steal Mail credentials (via file access) 12->50 52 Tries to harvest and steal ftp login credentials 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Tries to harvest and steal WLAN passwords 12->56 20 netsh.exe 3 12->20         started        22 conhost.exe 16->22         started        signatures8 process9 process10 24 conhost.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f8a9e60c3f540b692f2a5534e0fa022e44a87c8a8d67842ec6c7e5aa1de758a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 09:51:21 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6fj4ygd6valnexsuvju4d5aelsevb6ivdlhqqxmnr7fvio6owfa._file
Verdict:
unknown
Similar samples:
1b118ca52854a3b93972f45bb855b53619989ccd40bda3e9c5ec068690e63175
Matiex
339638b772ed1031ed7f32d3ea6c5020306a39062a166e8bc26aa0af60bd55fb
Matiex
3aaf212aeca95492c6768b3bf223f8fa4b153e1729f3c22ca50e215271e9d7de
Matiex
3e765468f62e77906cf76f19a38ef54b665f592d058ef76bfaacff7abad2cf4b
Matiex
5c4a427bdae2125f85488a6a18626bdf99cc9b065f600faa2a2a9cf014e24e6c
Matiex
6c9612aee7a17b1f0bed53bf0fd5075184132a9d54f02e1e050ae9ade8a0e994
Matiex
74285ed900ac5548390bc2363829bfa2e90b2bbb41efc947449a3b4b6a695f9f
Matiex
95630136fa07ce89580f8a185fd4a8c3f17d504ce8bbe7549ec723907729f9a6
Matiex
bb8ea63b32a8d1f2a983cffa6072e8a2fa770e003bb0466c3a10724e5c799a43
Matiex
d18e31c42d64a21777bb04a3b0015d415050a6303ae3d864f129ecb50f0f87bb
Matiex
+ 73 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201218-5x4gccyyxe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/4931c712-af1f-4a05-a55f-123b5066b8db/
SH256 hash:
1d3bbfa0b7343dae223554f22dbb2872be9ff50a4a7ceb04be8bfa487e8aa69a
MD5 hash:
cbec8afd02e98c060cd95c9024c320bf
SHA1 hash:
519527887e89f35bb0ab85323902422c0bee9957
Link:
https://www.unpac.me/results/4931c712-af1f-4a05-a55f-123b5066b8db/
SH256 hash:
20bf6a613a999e8ad909fd18bc883009c8e893838a5c6a787eb4014d2fd3d911
MD5 hash:
79f2e8c0b2e2cbd4d381b5b8be9e51e2
SHA1 hash:
77a989a2a75f6c007143d5ea1af6fbaeaf000321
Link:
https://www.unpac.me/results/4931c712-af1f-4a05-a55f-123b5066b8db/
SH256 hash:
51b11613df0a8a93c9bf286ff3696c32f50b7763d78425815afaf1d8564fa186
MD5 hash:
6ecc999b80aac33f4255cd30134483ee
SHA1 hash:
86e68ae281efd6741d89eb30388040bb9e68034b
Link:
https://www.unpac.me/results/4931c712-af1f-4a05-a55f-123b5066b8db/
SH256 hash:
a23918d6e582c123140d76477e7e211e11eab5cbfad5879a032c534d570e2325
MD5 hash:
d8bc528b895537f52c9564f2ffc9797e
SHA1 hash:
f2641755f8523aff9ac614d393353cb0dd9d65d0
Link:
https://www.unpac.me/results/4931c712-af1f-4a05-a55f-123b5066b8db/
SH256 hash:
6f8a9e60c3f540b692f2a5534e0fa022e44a87c8a8d67842ec6c7e5aa1de758a
MD5 hash:
851c76cce3869be0dc6e38e546b41508
SHA1 hash:
b235f335469092700d4a9a8c5ab9c89c3ccffa75
Link:
https://www.unpac.me/results/4931c712-af1f-4a05-a55f-123b5066b8db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/6f8a9e60c3f540b692f2a5534e0fa022e44a87c8a8d67842ec6c7e5aa1de758a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

zip 4b5ee9e40a655fd15aa0f7a61e5900a7361aff50b0496eecd515eb315cb06beb

Matiex

Executable exe 6f8a9e60c3f540b692f2a5534e0fa022e44a87c8a8d67842ec6c7e5aa1de758a

(this sample)

  
Dropped by
MD5 97ab62e86cf1feec083029cafaf32be2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4b5ee9e40a655fd15aa0f7a61e5900a7361aff50b0496eecd515eb315cb06beb
Cape
Cape
https://www.capesandbox.com/analysis/108373/

Comments