MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0dd472a02ed67fe15e20e2faa6167d8c1e9d54c9f0abc95a255197bbf0c0264. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0dd472a02ed67fe15e20e2faa6167d8c1e9d54c9f0abc95a255197bbf0c0264
SHA3-384 hash: a4bf053801b7eb3e6ae1a660116af27e99f3bb85650fef4ffe9800029b84776a870d2ed68d3fbd275a3118ccdfca960c
SHA1 hash: 5a371efcb5183f96f96082b5fefec1e05b84c21f
MD5 hash: 22e5a3e8fb401981cfdb4bc0c9235e7d
humanhash: lamp-ohio-august-equal
File name:TNT E-Invoice Cosignment Delivery Notification_pdf.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:1'118'720 bytes
First seen:2020-08-08 08:22:38 UTC
Last seen:2020-08-08 08:54:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:jAcu9Xspj1GWpWOg/6JFl/AwWeFbwMq+OT83ELMWfU2AZ:jAcmXyQWO7sby43ELMWfXA
Threatray 28 similar samples on MalwareBazaar
TLSH F93516E03640706FE59B40B095FBA6E5A2E2751C5D741B0D5853BA4EEE222873CDF8B3
Reporter abuse_ch
Tags:exe Matiex TNT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: WIN-ZLGEJPDBTRM
Sending IP: 103.138.108.118
From: TNT Express <admin@genoeven.cf>
Subject: TNT Shipment Notification
Attachment: TNT E-Invoice Cosignment Delivery Notification_pdf.zip (contains "TNT E-Invoice Cosignment Delivery Notification_pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42120/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.19229.15112.7037.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/415796
Signature
.NET source code references suspicious native API functions
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 260147 Sample: TNT E-Invoice Cosignment De... Startdate: 08/08/2020 Architecture: WINDOWS Score: 100 47 pkbsl.com 2->47 49 mail.pkbsl.com 2->49 51 3 other IPs or domains 2->51 55 Found malware configuration 2->55 57 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->57 59 Yara detected Matiex Keylogger 2->59 61 7 other signatures 2->61 7 TNT E-Invoice Cosignment Delivery Notification_pdf.exe 2 5 2->7         started        11 TNT E-Invoice Cosignment Delivery Notification_pdf.exe 5 2->11         started        13 TNT E-Invoice Cosignment Delivery Notification_pdf.exe 5 2->13         started        15 4 other processes 2->15 signatures3 process4 file5 27 TNT E-Invoice Cosi...otification_pdf.exe, PE32 7->27 dropped 29 TNT E-Invoice Cosi...exe:Zone.Identifier, ASCII 7->29 dropped 31 TNT E-Invoice Cosi...ication_pdf.exe.log, ASCII 7->31 dropped 63 Creates an undocumented autostart registry key 7->63 65 Writes to foreign memory regions 7->65 67 Injects a PE file into a foreign processes 7->67 17 CasPol.exe 15 4 7->17         started        21 CasPol.exe 4 11->21         started        23 CasPol.exe 11->23         started        25 CasPol.exe 13->25         started        69 Creates autostart registry keys with suspicious names 15->69 signatures6 process7 dnsIp8 33 pkbsl.com 69.16.230.96, 49741, 49765, 49767 LIQUIDWEBUS United States 17->33 35 mail.pkbsl.com 17->35 43 3 other IPs or domains 17->43 53 Tries to steal Mail credentials (via file access) 17->53 37 mail.pkbsl.com 21->37 45 2 other IPs or domains 21->45 39 mail.pkbsl.com 25->39 41 checkip.dyndns.org 25->41 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0dd472a02ed67fe15e20e2faa6167d8c1e9d54c9f0abc95a255197bbf0c0264/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-08 00:56:08 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdouokqc5vt74fpcbyx2uylh3da6tvkmt4flzfnckumxxpymajsa._file
Verdict:
malicious
Similar samples:
0bf098aab2e2ec8613a4f819fb56f4cb8f55ba2f4e79274a9a799b59149d057b
Matiex
55add5e5138bf35c9ef1a148b681358e4731131a72be0ebed59a28e7f7fd7eaf
Matiex
64c935f1295d858c75da3c49fa35d153d6d0b738576cde789b60a84d48d5b409
Matiex
8dd6f87188b0d6ab5739fd49c7247e7b60cdf4f16f482ed295632df80d82ab5f
Matiex
ba1c5f36a287271ae64d7fb5e803ced708a75ac3398448f8c3000cf9f2897f86
Matiex
c11918578270f2c2b9c8f834eb7e336cb213e2ff3721e62fff594635d79ce365
Matiex
e087171c275e0a210d76081dedc62fbf6319f3a76415d1316fc17d81c1e8753b
Matiex
fad876823d64effebcc0d9b2b353d118e289c21ff2527ddddd2aa54d544d494e
Matiex
fbc9106506d47f39fddb3a48693e9b3eb80f400d6c273d1e08ecc7ef417f9352
Matiex
fc1ca8b0fe8eab2d98c0f0e7ad37108f836fff77b50e393cf5dee61b7e4e6eb0
Matiex
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200808-3wc9546fsx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of local email clients
Drops startup file
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Drops startup file
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NanoCore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0dd472a02ed67fe15e20e2faa6167d8c1e9d54c9f0abc95a255197bbf0c0264

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

zip 623e7e4cc3035fc745bf34c07c5fffc4258fac2e4cd2c9f7d4ba2045e24371a0

Matiex

Executable exe b0dd472a02ed67fe15e20e2faa6167d8c1e9d54c9f0abc95a255197bbf0c0264

(this sample)

  
Dropped by
MD5 882082f3dd2804e3d312ddd3d40d8c3e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42120/
  
Dropped by
SHA256 623e7e4cc3035fc745bf34c07c5fffc4258fac2e4cd2c9f7d4ba2045e24371a0

Comments