MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fa65eef03e50dbaba9ba7729d7d5f4a24d9302c028ec1640db45d47096ab29d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Matiex

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	6fa65eef03e50dbaba9ba7729d7d5f4a24d9302c028ec1640db45d47096ab29d
SHA3-384 hash:	6e061dbea3db364ddb5cd8321e0953597a196aafd187db09de7e1385a88db8a4f1ac129ee502d84ebfd99b6a94a5e059
SHA1 hash:	164cca839ad92c95b3ccbf75873c8d590ff29c89
MD5 hash:	40f119bd23e3dfe95c416a839da87142
humanhash:	cold-alabama-six-violet
File name:	0908000009h090000.exe
Download:	download sample
Signature	Matiex Create hunting rule
File size:	590'848 bytes
First seen:	2020-10-14 15:53:26 UTC
Last seen:	2020-10-14 17:01:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e1f53fce110b7d04af8f614eb6503963 (2 x Matiex)
ssdeep	6144:BDsTMZ0ZzXnCnXTU/pioc07GuGneAf0faVMQATg3/mEMHV68PoRTAh8sw14DTrMy:BoTMUzXCYJGneDfS0PoRTqq14Dz
Threatray	7 similar samples on MalwareBazaar
TLSH	5CC46C0D08C87198E489807638E69A6047FD7563B625AE324F1D34A7FC36D8DC94BEF6
Reporter	abuse_ch
Tags:	exe Matiex

abuse_ch

Malspam distributing Matiex:

From: financierocvc@gmail.com
Subject: purchase order- urgent!
Attachment: 0908000009h090000.zip (contains "0908000009h090000.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70919/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.29163.13981.13081.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching a process

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Launching the process to change network settings

Creating a window

Unauthorized injection to a system process

Result

Threat name:

Matiex

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/491398

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Sigma detected: MSBuild connects to smtp port

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Matiex Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6fa65eef03e50dbaba9ba7729d7d5f4a24d9302c028ec1640db45d47096ab29d/

Threat name:

Win32.Trojan.Malrep

Status:

Malicious

First seen:

2020-10-14 14:10:22 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6tf53yd4ug3vou3u5zj27k7jisnsmbmakhmczanwrouoclkwkoq._file

Verdict:

unknown

Matiex

3484fcffef25d70f380c755917a11ef9088839383359d40888704897c2b3c1b9

Matiex

3bbc420e96825537d8483d080f9918b4d8303aff054b1cd94126ff67fa0526b7

Matiex

60d7a9feec05511bd20c144fd23ad438d80b673487ebe45d857906c054c82ca0

Matiex

624d8606b6fadc7aa8b9cbb72a12338fce28325f9bc849a78a5f91147f36c844

Matiex

deb96dddc557e467d8e3ac9bf5ee8fc167f74461d84e823925c0f8c7b33422e7

Matiex

f23176b88ae0da50473883837d6368b64c86e2f7c5a7cc3b59566f461318d99f

Matiex

Result

Malware family:

matiex

Score:

10/10

Tags:

stealer keylogger family:matiex spyware

Link:

https://tria.ge/reports/201014-k8k6q3vhx6/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Matiex

Matiex Main Payload

Unpacked files

SH256 hash:

6fa65eef03e50dbaba9ba7729d7d5f4a24d9302c028ec1640db45d47096ab29d

MD5 hash:

40f119bd23e3dfe95c416a839da87142

SHA1 hash:

164cca839ad92c95b3ccbf75873c8d590ff29c89

Link:

https://www.unpac.me/results/1301edc2-d66a-4d52-9d72-26cf0d4d6b78/

SH256 hash:

76f84d3c666ca1d6ee96f3844a821c1e6e863d6004132def87d3ef3308b4c7ff

MD5 hash:

64e3b1e8d3505c4885c573e92ba2b7b9

SHA1 hash:

1cec5539d80155c7db76b557df7114fc3ae4a4b8

Link:

https://www.unpac.me/results/1301edc2-d66a-4d52-9d72-26cf0d4d6b78/

SH256 hash:

c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81

MD5 hash:

eebb807f8a5a2d47c89648e4fb907f89

SHA1 hash:

35e8cbe02f0ce21492333604056e15bdbc923227

Link:

https://www.unpac.me/results/1301edc2-d66a-4d52-9d72-26cf0d4d6b78/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6fa65eef03e50dbaba9ba7729d7d5f4a24d9302c028ec1640db45d47096ab29d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.