MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce0e9c38f501c41244755438857cf76ab25727502b344c65d30075ff3338f43c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce0e9c38f501c41244755438857cf76ab25727502b344c65d30075ff3338f43c
SHA3-384 hash: 38456d8a810a5868b60a5becc9b787e08a1d83397fd5cf048ca0579efe21fdf661e3400820942bb9a7a8cbd400a393eb
SHA1 hash: 62cb835dc20ef745186fd3805c230b96c1177ba2
MD5 hash: 696f1e6e8b7f8ed2b20e9aa689be7333
humanhash: fish-echo-one-nevada
File name:4797508E2-20F2-4C2C-879A-1C358G.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:667'648 bytes
First seen:2020-10-16 17:48:09 UTC
Last seen:2020-10-16 19:23:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bd0ccfffe29beda9bfd332e673d3d4c7 (3 x AgentTesla, 2 x Matiex, 1 x Formbook)
ssdeep 12288:UtjBa8Zh7+1zqnTxIo3jiCY+0MiYrajKylU25lRH7FEAAEck0WhaUc4L4WYU6d1r:UtFayFz5TpXTrajK45lvA
Threatray 35 similar samples on MalwareBazaar
TLSH 34E45B455E91A6B2FF0E48785278CE33C6CDDF31269F046A9BD1163AAC361D17E2068F
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing Matiex:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.57.209
From: fkhalife@poslogistics.com
Subject: Urgent Purchase Order
Attachment: 4797508E2-20F2-4C2C-879A-1C358G.zip (contains "4797508E2-20F2-4C2C-879A-1C358G.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72229/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3424.21408.28206.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
Creating a window
Unauthorized injection to a system process
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494071
Signature
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce0e9c38f501c41244755438857cf76ab25727502b344c65d30075ff3338f43c/
Threat name:
Win32.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 15:10:44 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zyhjyohvahcberdvkq4ik7hxnkzfoj2qfm2eyzotab276mzy6q6a._file
Verdict:
unknown
Similar samples:
039b571653cbd974ebb9e8c37c048d0f9c4e5302db86a7400ed7a81708cb6c8c
Matiex
16fda49dd0a5b3c520619c1f5e88723cd2fe0c92b9cc2946416b2e29a1ccdfff
Matiex
46e5baf1b4d81819842fa7145a3ec446d956fedbafb1a3d36d77ffa06dbfcb74
Matiex
47602d03fd9625c7212ea4b5dbb919f587f4e5d5c3eedf58304bf5a851beac9a
Matiex
4a40496f800e2a11c1e2a12176d062b59fe536f18fb236f98e66231448aaa2e8
Matiex
a76869f6ece56a889175cb2cebdb60e4a24025184ebeb7fa9c6210668eb023fe
Matiex
b69c69f5c302e64f4a4a27abd968404d6226d8b04724abe8121f4627e2a755f2
Matiex
d32af58205d0773daf139d13738f918e03f4d30439086b6eda0dfceef3369b58
Matiex
d57b7809ae71b779b00aa2e7e3b55c3ff6c210453e19a872489e330285031ed3
Matiex
ec7484496f3a8f5ba5228b50c008988f85d871c5ff18f1e61b8da5cfb7d09b90
Matiex
+ 25 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
stealer keylogger family:matiex spyware
Link:
https://tria.ge/reports/201016-36ad2wncsn/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
ce0e9c38f501c41244755438857cf76ab25727502b344c65d30075ff3338f43c
MD5 hash:
696f1e6e8b7f8ed2b20e9aa689be7333
SHA1 hash:
62cb835dc20ef745186fd3805c230b96c1177ba2
Link:
https://www.unpac.me/results/8fb34dc5-5d6a-4844-8695-93133753d7f6/
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/8fb34dc5-5d6a-4844-8695-93133753d7f6/
SH256 hash:
7bbf4a3bf1d944f08699e3ec0884a41f866239e26e3c8f56b311cbbfc50392f6
MD5 hash:
c175e1e00b384410d00a6f52347143e9
SHA1 hash:
74d79a2148aefe43810b4d6efeb3d3c73f3d52b6
Link:
https://www.unpac.me/results/8fb34dc5-5d6a-4844-8695-93133753d7f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
VirLock
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce0e9c38f501c41244755438857cf76ab25727502b344c65d30075ff3338f43c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

zip dd2daa1f70321c9e2d0087fc8fd54d7703cc83a06a2383cf9fced3d33dfa4c0a

Matiex

Executable exe ce0e9c38f501c41244755438857cf76ab25727502b344c65d30075ff3338f43c

(this sample)

  
Dropped by
MD5 c9d153f16bc14e615dc42d05dbef199b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72229/
  
Dropped by
SHA256 dd2daa1f70321c9e2d0087fc8fd54d7703cc83a06a2383cf9fced3d33dfa4c0a

Comments