MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab928789224fd46229b8c5caffab8625636b7005ba793c796c0696e157da4c99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Matiex

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	ab928789224fd46229b8c5caffab8625636b7005ba793c796c0696e157da4c99
SHA3-384 hash:	08a6fac36012d4e0eeeceedbd4af60c99b5905b6292b1388dd4353f345d6f77f48dc2b569a5f5764fb422360008a555d
SHA1 hash:	f82c6587a0137e2e9384e824c4d1e30d415247e8
MD5 hash:	c9c85baf97e31c3154ed9ceec13a928e
humanhash:	vermont-jersey-xray-finch
File name:	invoice12212020.exe
Download:	download sample
Signature	Matiex Create hunting rule
File size:	617'984 bytes
First seen:	2020-12-23 07:50:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:Y5jULldpW7NDOY6exVmUon2/rJhr18kK8x/f0ymCulS:BdpgD/Y2Jhr62f89l
Threatray	6 similar samples on MalwareBazaar
TLSH	ABD4D16B3D3A9CEBE048DF35BE78AA191009BD0967A4E15FE814E05DAF356218F44D33
Reporter	abuse_ch
Tags:	exe Matiex

Intelligence

File Origin

# of uploads :

# of downloads :

534

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

invoice12212020.exe

Verdict:

Malicious activity

Analysis date:

2020-12-23 08:03:08 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/2eb6e123-6208-4b78-9fbb-78799d970368

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Matiex

Link:

https://www.capesandbox.com/analysis/109144/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Sending a UDP request

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Launching the process to change network settings

Creating a window

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Matiex

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/569004

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Matiex Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab928789224fd46229b8c5caffab8625636b7005ba793c796c0696e157da4c99/

Threat name:

Win32.Trojan.Bulz

Status:

Malicious

First seen:

2020-12-23 07:51:04 UTC

AV detection:

18 of 48 (37.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vojipcjcj7kgeknyyxfp7k4gevrww4afxj4ty6lma2locv62jsmq._file

Verdict:

unknown

Matiex

79a907e747dc5b0a4d2594b3365aa71f26b636380b06db8f257ef4ec47b4555f

Matiex

87f611dc06334ac8fd9cf702bc925d4aa921e927658b1ab8a1f58e6ddf3e8817

Matiex

af45ff354aaf65c450cf147194b0f746243361b1385abe580ba10246fee9bd66

Matiex

f512e47ce691f996f43e74cb07be9443f5aa34e1ebcdf3c52c9601da073ea779

Matiex

fc7470a56409ddacd8078e88cc72f63d87a0fdf42d986f13d27a0c961d78884d

Matiex

Result

Malware family:

matiex

Score:

10/10

Tags:

family:matiex keylogger stealer

Link:

https://tria.ge/reports/201223-4r7hyym97n/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Looks up external IP address via web service

Matiex

Matiex Main Payload

Unpacked files

SH256 hash:

5026b4d5a20d9bd7f07f111adbfdcdffa3423e83a1f5a982c1c34ad610eaa678

MD5 hash:

51aed80bd9770c6cd1f8782f1e37eeaa

SHA1 hash:

9130e5240d562529ff74c9664fa906168a11012d

Link:

https://www.unpac.me/results/ba5f68de-2e39-4145-b67e-84c2283aa843/

SH256 hash:

ab928789224fd46229b8c5caffab8625636b7005ba793c796c0696e157da4c99

MD5 hash:

c9c85baf97e31c3154ed9ceec13a928e

SHA1 hash:

f82c6587a0137e2e9384e824c4d1e30d415247e8

Link:

https://www.unpac.me/results/ba5f68de-2e39-4145-b67e-84c2283aa843/

SH256 hash:

d5c857ea8f350ebc156b9fd57afa2bfbe71fb3c149c6f2f7d01b40a2770546fe

MD5 hash:

40aa299562b7b38657cfdeedbac3cb33

SHA1 hash:

ab20daaa10cc1b2a71cd22e72af1120eb32a08a2

Link:

https://www.unpac.me/results/ba5f68de-2e39-4145-b67e-84c2283aa843/

SH256 hash:

4bcbabd9e0fa7355a410cefb1a014a3a53dffcab0ea8010780a193b25f6d8386

MD5 hash:

4509f46dd3d7e8090f8aba2f2f9f5580

SHA1 hash:

14e8dbbc94507e3df6d9d303fd5f5d1dfb4cffb3

Link:

https://www.unpac.me/results/ba5f68de-2e39-4145-b67e-84c2283aa843/

SH256 hash:

c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81

MD5 hash:

eebb807f8a5a2d47c89648e4fb907f89

SHA1 hash:

35e8cbe02f0ce21492333604056e15bdbc923227

Link:

https://www.unpac.me/results/ba5f68de-2e39-4145-b67e-84c2283aa843/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/ab928789224fd46229b8c5caffab8625636b7005ba793c796c0696e157da4c99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_Matiex Create hunting rule
Author:	ditekshen
Description:	Matiex keylogger payload

Rule name:	win_matiex_keylogger_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

exe ab928789224fd46229b8c5caffab8625636b7005ba793c796c0696e157da4c99

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/109144/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample