MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0b8949542ca26f2f52c82dcb6444016913b2485828fdb166d37cf3942614f14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Matiex

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	a0b8949542ca26f2f52c82dcb6444016913b2485828fdb166d37cf3942614f14
SHA3-384 hash:	10180fd748c0520264bc6001d27c62b89225bdded14521f7a56707145ee50d9b5e38ed11f02eb4962e4126e6757c21b1
SHA1 hash:	8c38ea1c210aef8841507e439d1dfa53f8c1dbd3
MD5 hash:	f170d5d99523ac1d57c916950a3847b1
humanhash:	finch-cat-snake-steak
File name:	NUEVO PEDIDO # 090800.exe
Download:	download sample
Signature	Matiex Create hunting rule
File size:	690'176 bytes
First seen:	2020-12-18 09:26:06 UTC
Last seen:	2020-12-18 10:50:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:gKzl9gMW3mocTuVujAyctoOyWZvyO/BwVtVSjVxFqd3nKy5aL:gK80KUAyctoOyWdZ/Y70vs5a
Threatray	5 similar samples on MalwareBazaar
TLSH	23E412107178BF23D87C87FB1A64660907B9E57E2692F34C4DE674CB26A1B508B91E33
Reporter	abuse_ch
Tags:	exe Matiex

abuse_ch

Malspam distributing Matiex:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: ventas4@autekmaquinaria.com.mx
Subject: NUEVO ORDEN-09089
Attachment: NUEVO PEDIDO 090800.gz (contains "NUEVO PEDIDO # 090800.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NUEVO PEDIDO # 090800.exe

Verdict:

Malicious activity

Analysis date:

2020-12-18 10:04:48 UTC

Tags:

evasion trojan 404keylogger stealer

Link:

https://app.any.run/tasks/51f80c97-f4a0-48c1-8c2b-93b83d302ba4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Matiex

Link:

https://www.capesandbox.com/analysis/108359/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.7871.8506.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Enabling autorun by creating a file

Result

Gathering data

Result

Threat name:

Matiex

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/566167

Signature

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Matiex Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a0b8949542ca26f2f52c82dcb6444016913b2485828fdb166d37cf3942614f14/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-17 21:50:21 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uc4jjfkczitpf5jmqlolmrcac2itwjefqkh5wftng7htsqtbj4ka._file

Verdict:

unknown

Matiex

be246c8f7d9d07567fa9618fdacf5658709a1a71f2d61e0b32e89cf9abd499da

Matiex

c3e9b8ef7b36f8f6274bfc301b301544a1ccc4fe50a532c96e04562a94929917

Matiex

d660a5cb266aa2629618af24c76b1602e043d62f336dfffb89c156ed94c28bbb

Matiex

fad59266b34827f994eba36a030a5abd4c552c3132801afec5fe74c787e10044

Matiex

Result

Malware family:

matiex

Score:

10/10

Tags:

family:matiex keylogger spyware stealer

Link:

https://tria.ge/reports/201218-ahy6ntp5ma/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Matiex

Matiex Main Payload

Unpacked files

SH256 hash:

a0b8949542ca26f2f52c82dcb6444016913b2485828fdb166d37cf3942614f14

MD5 hash:

f170d5d99523ac1d57c916950a3847b1

SHA1 hash:

8c38ea1c210aef8841507e439d1dfa53f8c1dbd3

Link:

https://www.unpac.me/results/7b5923e9-c0be-4874-a2e9-bc94a65628e0/

SH256 hash:

c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81

MD5 hash:

eebb807f8a5a2d47c89648e4fb907f89

SHA1 hash:

35e8cbe02f0ce21492333604056e15bdbc923227

Link:

https://www.unpac.me/results/7b5923e9-c0be-4874-a2e9-bc94a65628e0/

SH256 hash:

bb92162da427429dd84c703f5fbd7fc4b7a92265c99c955e522a1b8913d58ab5

MD5 hash:

5926d0903722701b35f01d6c40734fbe

SHA1 hash:

711c28a959b08322bd62dc48ef82cf9589584b4c

Link:

https://www.unpac.me/results/7b5923e9-c0be-4874-a2e9-bc94a65628e0/

SH256 hash:

e83cef9cfa4e2ea30e28843e43c60ebf8f6590fb753ad0aa5ed1123c01280527

MD5 hash:

bf99ee5fbf42797bd1ade95b109d634c

SHA1 hash:

e02abfdbca94a24a36b47d49a28360b79aabd294

Link:

https://www.unpac.me/results/7b5923e9-c0be-4874-a2e9-bc94a65628e0/

SH256 hash:

a23918d6e582c123140d76477e7e211e11eab5cbfad5879a032c534d570e2325

MD5 hash:

d8bc528b895537f52c9564f2ffc9797e

SHA1 hash:

f2641755f8523aff9ac614d393353cb0dd9d65d0

Link:

https://www.unpac.me/results/7b5923e9-c0be-4874-a2e9-bc94a65628e0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a0b8949542ca26f2f52c82dcb6444016913b2485828fdb166d37cf3942614f14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_Matiex Create hunting rule
Author:	ditekshen
Description:	Matiex keylogger payload

Rule name:	win_matiex_keylogger_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

zip b4b292dfde5eaab68b5fbaedfae48b3dbc57701bbe380e18523a43f8c13613da

Matiex

exe a0b8949542ca26f2f52c82dcb6444016913b2485828fdb166d37cf3942614f14

(this sample)

Dropped by

MD5 b84e71b2d0eccda95385714accc91725

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 b4b292dfde5eaab68b5fbaedfae48b3dbc57701bbe380e18523a43f8c13613da

Cape

https://www.capesandbox.com/analysis/108359/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample