MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa3ad2bc7de6aab74f28326021d7889b90daf829483251016f388c07fb0b6d48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa3ad2bc7de6aab74f28326021d7889b90daf829483251016f388c07fb0b6d48
SHA3-384 hash: 055ecb2478ebde37c40d3bba311c0a2bbb124dfc84ed35c456f608fba79b86dd21ae13b02c2a156d22bdb55f9aabc9a4
SHA1 hash: 5904ed3eb6aedd3734393308823f0cd6eb594558
MD5 hash: b513916e8a067da42f5672daae46e65d
humanhash: leopard-spaghetti-pluto-arkansas
File name:Trial Purchase Order Document-20201022‮gpj.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:539'136 bytes
First seen:2020-10-22 06:53:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:eAwt2dqdLkBYQkO472/RB1HsJKBnNBSgngI:PwEAdLkBYQkF72JPMcBn
Threatray 188 similar samples on MalwareBazaar
TLSH 24B44C227F89DD66C0A7AAF79182732DB725DCCB8E528B02C67C7566C063AC07D3D644
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps.uuwears.com
Sending IP: 45.95.169.179
From: info@uuwears.com
Subject: ORDER
Attachment: Trial Purchase Order.rar (contains "Trial Purchase Order Document-20201022‮gpj.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74491/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Creating a process from a recently created file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/506717
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa3ad2bc7de6aab74f28326021d7889b90daf829483251016f388c07fb0b6d48/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 01:47:58 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vi5nfpd542vlotzigjqcdv4itoinv6bjjazfcalphcgap6ylnvea._file
Verdict:
unknown
Similar samples:
030ade527870e102090906fca264da749db0e0a8bb405e8aad7a58bf9cf68ba8
Matiex
3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
Matiex
3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5
Matiex
5440e3ba334553d5264329b32eaab06d2bd91e4dc69b83968723d2abcc1bb3de
Matiex
55b779f35f7ba5b7e409de245f0c6c8c2f7f38292f7d33b42e65f1fe4cbe6ee9
Matiex
9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
Matiex
b05eb1ace6dd219a6e5ea23d25ea88bbd672ad379ac4dcaa935acbfdece37c0b
Matiex
d51840953f6ba82b4285527d838e0034d9ffa1dc1de94b73ed56e5e0b33e5eb5
Matiex
d99bf6fbde49105ddb9326b1a8020e5b22f64afa1a81793e34dcac17b3fbac44
Matiex
e9fb11df00c7a833b875f7c68fc6d5ee3edeeac7c63d85fc4897f6aef7596f7c
Matiex
+ 178 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
stealer keylogger family:matiex persistence spyware
Link:
https://tria.ge/reports/201022-4ftfr7ehta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Matiex
Matiex Main Payload
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
aa3ad2bc7de6aab74f28326021d7889b90daf829483251016f388c07fb0b6d48
MD5 hash:
b513916e8a067da42f5672daae46e65d
SHA1 hash:
5904ed3eb6aedd3734393308823f0cd6eb594558
Link:
https://www.unpac.me/results/f70d9f22-7483-4b30-9beb-75bfac0f1d32/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/f70d9f22-7483-4b30-9beb-75bfac0f1d32/
SH256 hash:
5886dbc91ebc7a1e9d6b72794eb0bed7403d060a322aec65a9269f52deb4ff46
MD5 hash:
773658b99d7e72b3b75b404c4afc1dec
SHA1 hash:
3938e9d73cdedf65c4a2ee321d6b6a35f62ddb3a
Link:
https://www.unpac.me/results/f70d9f22-7483-4b30-9beb-75bfac0f1d32/
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/f70d9f22-7483-4b30-9beb-75bfac0f1d32/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

rar 742041f62a41fb254fd54a31a1c93093f19da42cd7fd1b5a478f0cade05a8519

Matiex

Executable exe aa3ad2bc7de6aab74f28326021d7889b90daf829483251016f388c07fb0b6d48

(this sample)

  
Dropped by
MD5 92dd2c9c59e94e02ef6c6da29479b67e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74491/
  
Dropped by
SHA256 742041f62a41fb254fd54a31a1c93093f19da42cd7fd1b5a478f0cade05a8519

Comments