MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8888ca416fcb0b2fa48e131a3fbadf177ed9f26528d620ff1df804f17ea8c64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8888ca416fcb0b2fa48e131a3fbadf177ed9f26528d620ff1df804f17ea8c64
SHA3-384 hash: efd2a5caef2798f18686f30cfa7b4bbc677057cecb2d454a21cd3c906c7365405784c58e742f089deeeb87db8aeceb70
SHA1 hash: 844329ce2db6a3a6929719f27766474f77c7d047
MD5 hash: 497856229ec8ae87bda86469bf72ef64
humanhash: virginia-iowa-monkey-white
File name:Payment receipt.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:131'376 bytes
First seen:2020-08-12 06:35:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:NpizNLLJ56+2Zp+Y3t9zJaC8IYWOv35bY/HClgT:NpiJR2ZP3lUBJbYqlC
Threatray 643 similar samples on MalwareBazaar
TLSH 34D3E002B17AF310D1FF2AB106E5DA800B71A5F21A72851FBADC366DCE517B14C45EEA
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: malmomusikaffar.com
Sending IP: 45.138.172.137
From: 925 Silver Jewelry<info@malmomusikaffar.com>
Subject: Payment receipt
Attachment: Payment receipt.rar (contains "Payment receipt.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43936/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Enabling autorun by creating a file
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/421462
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Tries to steal Mail credentials (via file access)
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 263178 Sample: Payment receipt.exe Startdate: 12/08/2020 Architecture: WINDOWS Score: 96 46 Yara detected Matiex Keylogger 2->46 48 .NET source code references suspicious native API functions 2->48 50 .NET source code contains very large array initializations 2->50 52 7 other signatures 2->52 6 Payment receipt.exe 2 2 2->6         started        10 Payment receipt.exe 3 2->10         started        12 Payment receipt.exe 3 2->12         started        14 Payment receipt.exe 2->14         started        process3 file4 26 C:\Users\user\AppData\...\Payment receipt.exe, PE32 6->26 dropped 28 C:\...\Payment receipt.exe:Zone.Identifier, ASCII 6->28 dropped 54 Creates an undocumented autostart registry key 6->54 56 Injects a PE file into a foreign processes 6->56 16 Payment receipt.exe 15 2 6->16         started        20 Payment receipt.exe 2 10->20         started        22 Payment receipt.exe 2 12->22         started        24 Payment receipt.exe 14->24         started        signatures5 process6 dnsIp7 30 checkip.dyndns.org 16->30 40 3 other IPs or domains 16->40 44 Tries to steal Mail credentials (via file access) 16->44 32 checkip.dyndns.org 20->32 34 104.28.4.151, 443, 49740, 49747 CLOUDFLARENETUS United States 20->34 36 checkip.dyndns.org 22->36 38 checkip.dyndns.org 24->38 42 3 other IPs or domains 24->42 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8888ca416fcb0b2fa48e131a3fbadf177ed9f26528d620ff1df804f17ea8c64/
Threat name:
ByteCode-MSIL.Trojan.Dothetuk
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 04:14:51 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xceizjaw7sylf6si4ey2h65n6f363hzgkkgwed7r36ae6f7krrsa._file
Verdict:
suspicious
Similar samples:
02fbb8bf86f5163a9e3dcf6c172a709c2bd68fc9586b71c7c84627cc049da3ae
Matiex
066bdbaf5b5526cc3040573bea83da7a384e0c97df13d50a7cc0716b1dd8e6ac
Matiex
222e404e018c17e02a05cdf15699992894593b76b1372ec300981ddb38228cde
Matiex
55add5e5138bf35c9ef1a148b681358e4731131a72be0ebed59a28e7f7fd7eaf
Matiex
733036ae8101048351d1cf684fe1bc02c1cf7a70725a470bec7cbd59a602738b
Matiex
9b071bb883d03ad019622019118ed94894f8471ec7bff4982acc87267a552c68
Matiex
bbf1cebce86dde95f8a66414a1106ae2494b57c7b3d36d6df16b8ddef74e6346
Matiex
c5f803db7130a7863d26ce38997bea3d62e7c166f27c878576cb482e9618a22a
Matiex
fbc9106506d47f39fddb3a48693e9b3eb80f400d6c273d1e08ecc7ef417f9352
Matiex
ff72da13e03a2e2b2019a9899a6d036a054fcac79a563281bd1aeb34a69f3a38
Matiex
+ 633 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware persistence
Link:
https://tria.ge/reports/200812-szya9gj7t2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/b8888ca416fcb0b2fa48e131a3fbadf177ed9f26528d620ff1df804f17ea8c64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

rar 67355213a21949a6abc12f65fb4f96f6c9ca82d60dac379984ce374b0e00ce26

Matiex

Executable exe b8888ca416fcb0b2fa48e131a3fbadf177ed9f26528d620ff1df804f17ea8c64

(this sample)

  
Dropped by
MD5 663c6faedef6d2cb4b4b189789ac16ba
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/43936/
  
Dropped by
SHA256 67355213a21949a6abc12f65fb4f96f6c9ca82d60dac379984ce374b0e00ce26

Comments