MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8204a720bdcb3db0b4241f2331dff32ec003476a6072df452388323f91912022. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8204a720bdcb3db0b4241f2331dff32ec003476a6072df452388323f91912022
SHA3-384 hash: b04dca9a2f25ac16a668d95170e345ad0bc4e8b7231fd4e0b94afdd9abb1368d7abe69f50032ff15cdd1d7195f0586b4
SHA1 hash: 9ff18614ac99149576cc46f734faa31db49d8185
MD5 hash: 19384153658f54a36ccc557417c8703e
humanhash: wyoming-november-iowa-one
File name:LIST OF NEW PO order___148SRLS6725W2 ALS.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:869'176 bytes
First seen:2020-10-07 05:29:05 UTC
Last seen:2020-10-07 06:48:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:mkUHpR8+ovVpowaGVFgLrbgUpj+vvvtg/dBi97ga:mk/99iwayKjSvvvtglYka
Threatray 20 similar samples on MalwareBazaar
TLSH BE05D061B005F447D64B1AB12C1FE86014A6BABE9965C20D7492771EC9F339720AFECF
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: atl4mhob16.registeredsite.com
Sending IP: 209.17.115.109
From: orders <orders@echoproducts.com>
Reply-To: orders <orders@echoproducts.com>
Subject: Re: Re: URGENT REFERENCE FOR QUOTATION OF ATTACHED NEW ORDER LIST
Attachment: LIST OF NEW PO order___148SRLS6725W2 ALS.img (contains "LIST OF NEW PO order___148SRLS6725W2 ALS.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68816/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a window
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/483752
Signature
Binary contains a suspicious time stamp
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8204a720bdcb3db0b4241f2331dff32ec003476a6072df452388323f91912022/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 04:14:57 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qickoif5zm63bnbed4rtdx7tf3aagr3kmbzn6rjdrazd7emreara._file
Verdict:
unknown
Similar samples:
2c4f41d645657a8be7da399765e00d1d7e170fc6d7114e14fff1c8d717fbca16
Matiex
2ddbf5aed765723b948699526bc2a9a49864dc1181e21f4c51fe613aa8d0ca7e
Matiex
5b92d7f869973b50de0c707ce58afacd6f1202364283c7dffa6ffd79a41a93eb
Matiex
8bc8f11f65265cd267e36dd30710793863582fd6e4c554d50fa5a083d015ced6
Matiex
8e87c32725b853bc0ba2bbd95c3095b203bd064599d7ce35e310dc29b8d41528
Matiex
99d1e6642a3f135215927e2166213409c4390a70332a77ea5fb342beaf629d65
Matiex
ac7be59f994a2d6ba829e6a7db30ce60594cc2384c55d673e72ee1256737946a
Matiex
c725eea92437455b05cf0c4007e63abff342befc67e4b8ad0e60eaa96074955e
Matiex
c838da7346e7f3373f9f1a84a073c248f785e82be48db979cdb339460402de06
Matiex
ea34ce44176906af3dd7ec1e4d9db0df144f5769ce3298d88864698c54164c9b
Matiex
+ 10 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
stealer keylogger family:matiex spyware
Link:
https://tria.ge/reports/201007-rk885nkc82/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
91f1cce4673908464451a7e0f7b22fe1c7a802c64888106eb3c20e1d7eb6455a
MD5 hash:
f952ecd241c375503f4decfb9cbd6ca3
SHA1 hash:
c1f6bb42349c75946613f2deab93f00bda8ec61c
Link:
https://www.unpac.me/results/3492f41f-6d06-45ab-98bf-9d21eb7a50ca/
SH256 hash:
8204a720bdcb3db0b4241f2331dff32ec003476a6072df452388323f91912022
MD5 hash:
19384153658f54a36ccc557417c8703e
SHA1 hash:
9ff18614ac99149576cc46f734faa31db49d8185
Link:
https://www.unpac.me/results/3492f41f-6d06-45ab-98bf-9d21eb7a50ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8204a720bdcb3db0b4241f2331dff32ec003476a6072df452388323f91912022

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

img 479b99e01f707260794b52495e31967345d6e1830ee415821fff5e0910e448c8

Matiex

Executable exe 8204a720bdcb3db0b4241f2331dff32ec003476a6072df452388323f91912022

(this sample)

  
Dropped by
MD5 2988859f559346373267575893b573f2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68816/
  
Dropped by
SHA256 479b99e01f707260794b52495e31967345d6e1830ee415821fff5e0910e448c8

Comments