MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 989fe5a99d4086427ede2f13e32837f35d9c1825e2af58e26f41adc02f861a8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 989fe5a99d4086427ede2f13e32837f35d9c1825e2af58e26f41adc02f861a8f
SHA3-384 hash: ae0651c247d777e56262c4b8fc4af3f709e8907cbce5bf580fddee3ad2a0eb2656f2ab714b3d29a3ed0c292f25ee47ec
SHA1 hash: 0dad361e5129f4c17615c542f2d346c9b034a4bc
MD5 hash: 676a5eadc2364ef2d9c8ec4dcad0e001
humanhash: gee-moon-asparagus-magazine
File name:Invoice.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:743'424 bytes
First seen:2021-05-28 13:08:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:6ejvIQDIA0pxAi3v+MG+kHUD/YfV1R2yvptkIihhBK+IxQtc:NrIQn0pGi34eY7RXfsBKUt
Threatray 28 similar samples on MalwareBazaar
TLSH 65F46C1D12D8172AD17DD3B8CDE0951393A1F523B622FE9D98C503A90B936C6B99333E
Reporter James_inthe_box
Tags:exe Matiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-05-28 13:10:37 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/1a4de6cc-96c8-4c8c-a78b-eaf0c2bd7fbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162970/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.763-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793845
Signature
.NET source code contains very large strings
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426241 Sample: Invoice.exe Startdate: 28/05/2021 Architecture: WINDOWS Score: 100 55 Sigma detected: Capture Wi-Fi password 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected AgentTesla 2->59 61 7 other signatures 2->61 8 Invoice.exe 3 2->8         started        12 newapp.exe 3 2->12         started        process3 file4 31 C:\Users\user\AppData\...\Invoice.exe.log, ASCII 8->31 dropped 63 May check the online IP address of the machine 8->63 65 Uses netsh to modify the Windows network and firewall settings 8->65 67 Tries to harvest and steal WLAN passwords 8->67 14 Invoice.exe 15 8 8->14         started        69 Multi AV Scanner detection for dropped file 12->69 71 Injects a PE file into a foreign processes 12->71 19 newapp.exe 14 2 12->19         started        21 newapp.exe 12->21         started        23 newapp.exe 12->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.org 14->39 41 dmfkinspirations.com 103.6.198.20, 49735, 49739, 49740 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 14->41 45 5 other IPs or domains 14->45 33 C:\Users\user\AppData\Roaming\newapp.exe, PE32 14->33 dropped 35 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 14->35 dropped 37 C:\Users\user\AppData\Roaming\...\newapp.url, MS 14->37 dropped 47 Tries to steal Mail credentials (via file access) 14->47 49 Tries to harvest and steal ftp login credentials 14->49 51 Tries to harvest and steal browser information (history, passwords, etc) 14->51 53 Tries to harvest and steal WLAN passwords 14->53 25 netsh.exe 3 14->25         started        43 checkip.dyndns.org 19->43 27 WerFault.exe 9 19->27         started        file8 signatures9 process10 process11 29 conhost.exe 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/989fe5a99d4086427ede2f13e32837f35d9c1825e2af58e26f41adc02f861a8f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-28 12:32:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcp6lkm5icdee7w6f4j6gkbx6nozygbf4kxvrytpigw4al4gdkhq._file
Verdict:
unknown
Similar samples:
07c764029bc53a23ecde50473f42e72e44b1eed4001cff0566366b19340fec5f
Matiex
08f8fb048455eaa71cf153651e2c8643e1669ad29be5f523de0b8bb39996e92c
Matiex
0cc0e62d3e7c77721cb6c205d05b967350a7dfe7aef2aae743eda279f87cd035
Matiex
15cff1e96f3e53bed8732e1941086ab69123e8937918b03122a80e0dce4abbc1
Matiex
392e14e40cc92c4ad074559b359c6ce39388ce89a2fa8c158f63b7baedda2339
Matiex
3de66e8bc0120cf55e5523f00c0c36082da6b3bd8f3f08f105b39e1c434b320f
Matiex
bd25f167e43a8527acf98879dcaeba045084d9d892852f1334331085a4da27bf
Matiex
ca54068918281e4c84cdd17b0a834f9518cda57c362d82a8393bcae117af33c0
Matiex
cc93a9e201ac4c87c3bad57865bea80244c9ecbeb9a381ba467a81fe1b86a015
Matiex
d3ed59aa66458ead040f4d4b8e0df0e90b5ed1301102b9913516317feca3fbaf
Matiex
+ 18 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
family:matiex keylogger spyware stealer
Link:
https://tria.ge/reports/210528-3qjw1e8e22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Matiex
Matiex Main Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/989fe5a99d4086427ede2f13e32837f35d9c1825e2af58e26f41adc02f861a8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/162970/

Comments