MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8508dd939f37a821ad3d0060c1e472f258bb7d4064e1a602661bb3971f20251f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8508dd939f37a821ad3d0060c1e472f258bb7d4064e1a602661bb3971f20251f
SHA3-384 hash: cff826f8fdb7ce19bcd9528ba6df1923f4a537395ffc41f2643556dcdec05228f6b8f32d9c141fddd119035df9bfb9ea
SHA1 hash: 3c020015aa99de28a8c5c4a4f16f52204053e687
MD5 hash: 514e0b84280c4c4745330f126c46b0c5
humanhash: twelve-golf-zulu-helium
File name:01_extracted.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:1'241'088 bytes
First seen:2021-05-15 21:17:56 UTC
Last seen:2021-05-16 09:27:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:pYrL5af7ioninaDMla6sei3fIZW1uqnkrWG6gK/RTjWvooSKC:pQ5amouaDoa1eiSW1uTazZ5vWe
Threatray 35 similar samples on MalwareBazaar
TLSH C645222877864E02D0BF06B9C7D11D3117B48936D50BF31E6DAE5AD809E27CBD1632AB
Reporter Racco42
Tags:exe Matiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
01_extracted.exe
Verdict:
Malicious activity
Analysis date:
2021-05-15 21:19:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/12fadb69-bb64-4c91-93a3-040d8a17f53d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/157456/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Sending a UDP request
Deleting a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/782866
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Yara detected AgentTesla
Yara detected Beds Obfuscator
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 415262 Sample: 01_extracted.exe Startdate: 15/05/2021 Architecture: WINDOWS Score: 96 27 Antivirus detection for dropped file 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Yara detected AgentTesla 2->31 33 6 other signatures 2->33 7 01_extracted.exe 1 11 2->7         started        process3 file4 19 C:\Users\user\AppData\Local\...\rundll32-.txt, PE32 7->19 dropped 21 C:\Users\...\rundll32-.txt:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\Temp\mata.bat, ASCII 7->23 dropped 25 2 other files (1 malicious) 7->25 dropped 35 Creates autostart registry keys with suspicious names 7->35 11 cmd.exe 1 7->11         started        13 notepad.exe 7->13         started        signatures5 process6 process7 15 wscript.exe 11->15         started        17 conhost.exe 11->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8508dd939f37a821ad3d0060c1e472f258bb7d4064e1a602661bb3971f20251f/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-05-15 21:18:10 UTC
AV detection:
28 of 47 (59.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=quen3e47g6ucdlj5abqmdzds6jmlw7kamtq2matgdozzohzaeupq._file
Verdict:
unknown
Similar samples:
4bd12f48c0a5a1dd9a4c0dd17460f2941f3a1b2b11b95961b4092f07622eb5c3
Matiex
55b8c931d255cef1b2541db94a1eea700b9849c253ca5b24f31aeaf272a276c9
Matiex
5c616e633ee33cf1ebc784661459a1990201bc9baf77c6c59a8ee5d1b25dcde4
Matiex
63df90b645f7523d984b627c04374be05b3b455d8a1b63affb86ffc9aa197939
Matiex
76ff41be8f7f15dbb035fb27ad00cbd313d0d75745945b81642f10986fc83ffb
Matiex
7e5781736b54a7fa874ce94e54f6c5540aa2b223c2875570a94db1e554cf4936
Matiex
8759d45e142c15d4e4cc63fc147114ef52bb57623710552c4ba76f43face2524
Matiex
88c93fb2359cc5f0da6886983c67d923955d210daf5a458e382d024124a67458
Matiex
cffb56dddf9b596328082781400f1b5a1d7a995719c78dbdcbe41b026c86010b
Matiex
db4b9e3a0264451368c24fb5f9e9a8722bb0afc6fb184fca9a54b7cb1aec4249
Matiex
+ 25 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
family:matiex keylogger persistence stealer
Link:
https://tria.ge/reports/210515-9tvkn8y75s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Matiex
Matiex Main Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8508dd939f37a821ad3d0060c1e472f258bb7d4064e1a602661bb3971f20251f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/157456/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-15 21:59:39 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.001] Cryptography Micro-objective::AES::Encrypt Data