MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964
SHA3-384 hash: eb859867a6db7eecf411acbc18f337478e63ec6bb5ac2e0618fdd2e83ec4c4cea3c1fff7c22fcbe6c75547b8b7699587
SHA1 hash: cd990deea4530f113c617b9cda0eeea7ada9170e
MD5 hash: 9dd6a382a4b8e3295ed977f1cc176c0a
humanhash: orange-hydrogen-carolina-five
File name:PO#8938928.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:2'008'638 bytes
First seen:2020-09-25 13:19:26 UTC
Last seen:2020-09-25 13:48:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 971465ba55aa2969c976f7f768bcd887 (2 x AgentTesla, 1 x Matiex, 1 x Pony)
ssdeep 24576:zRgV9lX4ePztJzKe4QTnExJrP6+RtCFKOqRuGmjpMg8R5w+cTll8add1Lj6vull+:zR6bbJR7OyKiKO0VaqgY5w+eTZ3Ejmr6
TLSH 73952A379F86A821F195D1BCE4A503FCE4B259689CA27781BFE6DF0C7916340AB341D2
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing Matiex:

HELO: freightsindonusa.com
Sending IP: 111.68.113.50
From: acct1@freightsindonusa.com
Subject: Re: PRICE & AVAILABILITY <URGENT >PO KV/PO#8938928!
Attachment: PO8938928.zip (contains "PO#8938928.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/65831/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.6489.11823.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.SpyBotNET.25.24003.12228.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Replacing files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Deleting of the original file
Enabling threat expansion on mass storage devices by creating a special LNK file
Result
Threat name:
Matiex WSHRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475173
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Creates files in alternative data streams (ADS)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops script or batch files to the startup folder
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected AntiVM_3
Yara detected Matiex Keylogger
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290045 Sample: PO#8938928.exe Startdate: 25/09/2020 Architecture: WINDOWS Score: 100 78 Sigma detected: Register Wscript In Run Key 2->78 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Multi AV Scanner detection for domain / URL 2->82 84 14 other signatures 2->84 9 PO#8938928.exe 2->9         started        12 wscript.exe 2->12         started        process3 signatures4 96 Writes to foreign memory regions 9->96 98 Allocates memory in foreign processes 9->98 100 Queues an APC in another process (thread injection) 9->100 14 notepad.exe 5 9->14         started        18 scvhost.exe 12->18         started        process5 file6 58 C:\Users\user\AppData\Roaming\...\scvhost.exe, PE32 14->58 dropped 60 C:\Users\user\...\scvhost.exe:Zone.Identifier, ASCII 14->60 dropped 62 C:\Users\user\AppData\Roaming\...\host.vbs, ASCII 14->62 dropped 116 Creates files in alternative data streams (ADS) 14->116 118 Drops VBS files to the startup folder 14->118 120 Deletes itself after installation 14->120 20 scvhost.exe 3 4 14->20         started        122 Maps a DLL or memory area into another process 18->122 24 scvhost.exe 18->24         started        signatures7 process8 file9 42 C:\Users\user\AppData\...\BsA2woE9zZbLwSC.exe, PE32 20->42 dropped 44 SDOupJClKPesZvUKaa...lkzwnEoJFcriZd6i.js, ASCII 20->44 dropped 86 Multi AV Scanner detection for dropped file 20->86 88 Detected unpacking (changes PE section rights) 20->88 90 Detected unpacking (overwrites its own PE header) 20->90 92 3 other signatures 20->92 26 wscript.exe 3 3 20->26         started        30 BsA2woE9zZbLwSC.exe 15 2 20->30         started        33 scvhost.exe 14 11 20->33         started        35 scvhost.exe 20->35         started        signatures10 process11 dnsIp12 48 SDOupJClKPesZvUKaa...lkzwnEoJFcriZd6i.js, ASCII 26->48 dropped 102 Drops script or batch files to the startup folder 26->102 104 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 26->104 106 Wscript called in batch mode (surpress errors) 26->106 37 wscript.exe 26->37         started        68 checkip.dyndns.org 30->68 70 checkip.dyndns.com 162.88.193.70, 49725, 49729, 80 DYNDNSUS United States 30->70 72 freegeoip.app 104.28.4.151, 443, 49730 CLOUDFLARENETUS United States 30->72 108 Antivirus detection for dropped file 30->108 110 Multi AV Scanner detection for dropped file 30->110 112 Tries to steal Mail credentials (via file access) 30->112 114 2 other signatures 30->114 74 rajas.com.my 103.6.196.76, 49745, 80 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 33->74 76 192.168.2.1 unknown unknown 33->76 50 C:\Users\user\Desktop\bin.exe, PE32 33->50 dropped 52 C:\Users\user\Desktop\libsodium.dll, PE32 33->52 dropped 54 C:\Users\user\Desktop\libsodium-64.dll, PE32+ 33->54 dropped 56 2 other files (none is malicious) 33->56 dropped file13 signatures14 process15 dnsIp16 64 blackhillls.ddns.net 197.210.226.198, 1334 VCG-ASNG Nigeria 37->64 66 ip-api.com 208.95.112.1, 49723, 80 TUT-ASUS United States 37->66 46 SDOupJClKPesZvUKaa...lkzwnEoJFcriZd6i.js, ASCII 37->46 dropped 94 System process connects to network (likely due to code injection or exploit) 37->94 file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 13:06:04 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=peip5iewdd66dotmfy7kbcg6kaij42c5ecxbycg7f6fvgd653fsa._file
Verdict:
suspicious
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
upx persistence spyware stealer keylogger family:matiex
Link:
https://tria.ge/reports/200925-4z73em7evx/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Blacklisted process makes network request
Executes dropped EXE
UPX packed file
ServiceHost packer
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964
MD5 hash:
9dd6a382a4b8e3295ed977f1cc176c0a
SHA1 hash:
cd990deea4530f113c617b9cda0eeea7ada9170e
Detections:
win_houdini_a0
Create hunting rule
Link:
https://www.unpac.me/results/344c3b56-f9f8-4aca-965c-f3a43fda4760/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Andromeda_MalBot_Jun_1A
Create hunting rule
Author:Florian Roth
Description:Detects a malicious Worm Andromeda / RETADUP
Reference:http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/
Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

badef0ecf78a44a13d19d74872d698fa

Matiex

Executable exe 7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964

(this sample)

  
Dropped by
MD5 badef0ecf78a44a13d19d74872d698fa
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/65831/

Comments