MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matrix


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40
SHA3-384 hash: 25c63c0dda9d9a83465598634290ef9427e1d9bd79942541d1119b7833c8144436139cfbcfe6da5ce6a6361f4ce4b0a3
SHA1 hash: 4dd84a6c87e777ad12aeb38c0bba81892c5e464d
MD5 hash: b3b77dc22f4f656dd036d6dc3b43f6e2
humanhash: kentucky-alanine-snake-muppet
File name:afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40.bin
Download: download sample
Signature Matrix
Create hunting rule
File size:1'235'456 bytes
First seen:2020-10-15 17:16:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ca3b1af31abe1beced65a635aa0c47a3 (4 x Matrix)
ssdeep 24576:rxcxFP+OOobRioyJR5ezu413hJE5cxoBIFvA:WfzBE6x3I
Threatray 10 similar samples on MalwareBazaar
TLSH 87457D23B34860BEC8690A3249B7CD54793F7771A9168C1767F0492CEF695813E3AA4F
Reporter Arkbird_SOLG
Tags:Matrix Ransomware


Avatar
ArkbirdDevil
Pattern -> [AdamBrown89@criptext.com][$Filename].AB89

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
VSSDestroy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71537/
Detection(s):
Win.Ransomware.Matrix-7530993-0
Create hunting rule

PUA.Win.Adware.Dealply-6840263-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% directory
Changing a file
Reading critical registry keys
Modifying an executable file
Moving a file to the %AppData% subdirectory
Moving a file to the Program Files subdirectory
Moving a file to the Program Files directory
Creating a file in the Program Files subdirectories
Network activity
Connection attempt
Launching a process
Creating a window
Stealing user critical data
Creating a file in the mass storage device
Encrypting user's files
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492811
Signature
Antivirus / Scanner detection for submitted sample
Changes the wallpaper picture
Drops batch files with force delete cmd (self deletion)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Wscript called in batch mode (surpress errors)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298857 Sample: jsezPXBYSo.bin Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 2 other signatures 2->66 8 jsezPXBYSo.exe 502 2->8         started        process3 dnsIp4 58 sec.timerz.org 199.59.242.150, 49719, 49849, 50251 BODIS-NJUS United States 8->58 48 C:\Users\user\DesktopbehaviorgraphYt8ApGd.exe, PE32 8->48 dropped 50 C:\Users\user\Desktop50VWZAPQSQL.xlsx, data 8->50 dropped 52 C:\Users\user\Desktop\...52VWZAPQSQL.xlsx, data 8->52 dropped 54 93 other files (81 malicious) 8->54 dropped 70 Drops batch files with force delete cmd (self deletion) 8->70 72 Tries to harvest and steal browser information (history, passwords, etc) 8->72 74 Writes many files with high entropy 8->74 76 2 other signatures 8->76 13 cmd.exe 1 8->13         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        20 5 other processes 8->20 file5 signatures6 process7 file8 80 Uses cmd line tools excessively to alter registry or file data 13->80 23 reg.exe 1 13->23         started        36 3 other processes 13->36 26 cmd.exe 16->26         started        38 3 other processes 16->38 82 Wscript called in batch mode (surpress errors) 18->82 28 wscript.exe 1 18->28         started        30 conhost.exe 18->30         started        46 C:\Users\user\Desktop46WiNKAQb.exe, PE32 20->46 dropped 32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        40 2 other processes 20->40 signatures9 process10 signatures11 68 Changes the wallpaper picture 23->68 42 GYt8ApGd.exe 26->42         started        process12 file13 56 C:\Users\user\AppData\...behaviorgraphYt8ApGd64.exe, PE32+ 42->56 dropped 78 Multi AV Scanner detection for dropped file 42->78 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40/
Threat name:
Win32.Ransomware.Matrix
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 10:39:42 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
Matrix
4f4037898d619b3b5f1c9fedd3e3940f46d39a57db2cbf9b4d8238d587fd7168
Matrix
517e1659c9d9ee4de266b3ade2d06965b670d17082ae2c2c97b4c694bb29152a
Matrix
5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6
Matrix
593d037e9fd467ebe80cb0ff28d22be2dbc0fdaad4d626ee2ad30707d8ea23da
Matrix
69cd9793d80b5e5d7f5bf377822dc573c84ef939ede4eedd892fd1b757435bff
Matrix
d00ee0e6eab686424f8d383e151d22005f19adbda5b380a75669629e32fe12a6
Matrix
d5fce47c9f644b0cd9d392a93e30bbfdc9368d06250263a200708da9f80e4048
Matrix
d87d1fbeffe5b18e22f288780bf50b1e7d5af9bbe2480c80ea2a7497a3d52829
Matrix
f9a19835601dc81b94557b0452cbde314a8f856e9d6371b825f39b627dba2949
Matrix
Result
Malware family:
matrix
Create hunting rule
Score:
  10/10
Tags:
ransomware evasion upx persistence discovery spyware family:matrix
Link:
https://tria.ge/reports/201015-v1n9294qxn/
Behaviour
Creates scheduled task(s)
Interacts with shadow copies
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Modifies service
Sets desktop wallpaper using registry
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
UPX packed file
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Matrix Ransomware
Unpacked files
SH256 hash:
afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40
MD5 hash:
b3b77dc22f4f656dd036d6dc3b43f6e2
SHA1 hash:
4dd84a6c87e777ad12aeb38c0bba81892c5e464d
Detections:
win_matrix_ransom_auto
Create hunting rule
Link:
https://www.unpac.me/results/5fc16180-99e2-4662-b6de-c2b887205ff3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://github.com/StrangerealIntel/DailyIOC/blob/master/2020-10-15/MATRIX/RAN_Matrix_Sep_2020_1.yar
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/71537/

Comments