MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f59b570da870e11eaf77941198ee243353d60b7899bc672dd0562787523bc6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f59b570da870e11eaf77941198ee243353d60b7899bc672dd0562787523bc6a
SHA3-384 hash: 867b7e64b87dc1b734b71882c6fd9a9654c7c79e26471eded2fdefbfb0df2e18ac0c280a2e2a8a17308f273145a0e791
SHA1 hash: 02c976d6b018b0fcf037f39fdf70c4c024e1b636
MD5 hash: c44a2ceeb432c4cd0c201e6ab7708c07
humanhash: fruit-beer-lima-fanta
File name:shipment details.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:714'240 bytes
First seen:2020-10-09 06:34:43 UTC
Last seen:2020-10-09 08:02:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:FijIlLL1VTdWFCWPnqCteRuCVEhkmgYgRq3pyv4fmakNIhV0fyOnpUgY:FqIl/1VTOffeECuhhgT8Uv+kNIhkyXg
Threatray 4 similar samples on MalwareBazaar
TLSH B4E4238D108E8115DBBC663B79C364058BB9F21B22921FCA99E897F0359FFC0579395C
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: dd17118.kasserver.com
Sending IP: 85.13.137.241
From: Payment & Shipment Department <info@carbondream.de>
Subject: Re: Payments - October Invoices
Attachment: shipment details.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69461/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Sending a UDP request
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Threat name:
AgentTesla Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/486386
Signature
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f59b570da870e11eaf77941198ee243353d60b7899bc672dd0562787523bc6a/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 10:09:21 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5m3k4g2q4hbd2xxpfartdxcim2t2yfxrgn4m4w5avrhq5jdxrva._file
Verdict:
unknown
Similar samples:
99a9f37b29dd440c803ea37c57a6acded495d4b49c165f66b3fbe8a427972799
Matiex
9d36d33688fefea55f7b2b7c25165ab3a85319b5f466174fa2396537187eabe0
Matiex
bd5a89235b1e44222a7cda1b6349967af2152683661cef1d8c8ef515d1706828
Matiex
cd62c1ca555d8caedbf2f6974500577216b34549681682d8802af804f0510f46
Matiex
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
stealer keylogger family:matiex spyware
Link:
https://tria.ge/reports/201009-5twb7xr67x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
8f59b570da870e11eaf77941198ee243353d60b7899bc672dd0562787523bc6a
MD5 hash:
c44a2ceeb432c4cd0c201e6ab7708c07
SHA1 hash:
02c976d6b018b0fcf037f39fdf70c4c024e1b636
Link:
https://www.unpac.me/results/213368b7-bf8b-4102-9654-626f11623671/
SH256 hash:
c45fa5a6e52030f9a9f4de1d212eb9b64694c33a92c06aac9137bd0187d5230d
MD5 hash:
1998078c01fb890ec06fee8a34365be0
SHA1 hash:
2d7026b806de72dae9f9018df9e16338f9f1db62
Link:
https://www.unpac.me/results/213368b7-bf8b-4102-9654-626f11623671/
SH256 hash:
5467733df3c030fd5c938ae620849a81ba5e77fb30e79fb291427ccb1d3e8338
MD5 hash:
993d299a5838e51a38dde51ff198a1ca
SHA1 hash:
33bbb610ead59fe45899db669546eb481a855b00
Link:
https://www.unpac.me/results/213368b7-bf8b-4102-9654-626f11623671/
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/213368b7-bf8b-4102-9654-626f11623671/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f59b570da870e11eaf77941198ee243353d60b7899bc672dd0562787523bc6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

Executable exe 8f59b570da870e11eaf77941198ee243353d60b7899bc672dd0562787523bc6a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69461/

Comments