MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d38ae3a0b46004f53c8544937d735621d53ccf2a7bdd13b3ce0944446e214a2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d38ae3a0b46004f53c8544937d735621d53ccf2a7bdd13b3ce0944446e214a2e
SHA3-384 hash: f07e939eb4e59920c920af7e4ac1b55e95433406f4737b476060dcba414a3484ce9f79e28e80b073070a45310eef9ac6
SHA1 hash: 83fa8f78e5acbf446231acc1779ab2fa095d8767
MD5 hash: f30f40503d6c95a46049571af77ca858
humanhash: enemy-blossom-artist-vermont
File name:Invoice SMI7271.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:710'656 bytes
First seen:2020-10-05 11:17:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 41cd3d95714b0df8060323fdc67b3eba (10 x AgentTesla, 6 x Loki, 1 x MassLogger)
ssdeep 12288:jcAt9L2fndhBK2w3p3z+iqiBZdMuWD9gP088J4yOZMcT:RHqhBFgBg6cuZMe
Threatray 1'940 similar samples on MalwareBazaar
TLSH D7E49D22A3E14833D1671A3D9DDB6774EC29BE503D28B94A2FE4DC4C9F396817819393
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.aakeen.co.in
Sending IP: 49.50.102.203
From: Arvind Chaudhary<admin@clickngodeals.com>
Reply-To: <anelem@suprahealthcare.net>
Subject: RE: Request for PO# 2500104655 HomeSense Canada
Attachment: Invoice SMI7271.rar (contains "Invoice SMI7271.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68136/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481272
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293078 Sample: Invoice SMI7271.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for submitted file 2->41 43 Detected unpacking (changes PE section rights) 2->43 45 Detected unpacking (creates a PE file in dynamic memory) 2->45 47 7 other signatures 2->47 7 Invoice SMI7271.exe 2->7         started        10 wscript.exe 1 2->10         started        process3 signatures4 53 Writes to foreign memory regions 7->53 55 Allocates memory in foreign processes 7->55 57 Maps a DLL or memory area into another process 7->57 59 Queues an APC in another process (thread injection) 7->59 12 Invoice SMI7271.exe 15 2 7->12         started        16 notepad.exe 1 7->16         started        18 Invoice SMI7271.exe 10->18         started        process5 dnsIp6 35 checkip.dyndns.org 12->35 37 checkip.dyndns.com 216.146.43.71, 49725, 49726, 49728 DYNDNSUS United States 12->37 39 freegeoip.app 104.28.5.151, 443, 49727 CLOUDFLARENETUS United States 12->39 61 Tries to steal Mail credentials (via file access) 12->61 63 Tries to harvest and steal browser information (history, passwords, etc) 12->63 65 Drops VBS files to the startup folder 16->65 67 Delayed program exit found 16->67 69 Writes to foreign memory regions 18->69 71 Allocates memory in foreign processes 18->71 73 Maps a DLL or memory area into another process 18->73 20 Invoice SMI7271.exe 2 18->20         started        24 notepad.exe 1 18->24         started        signatures7 process8 dnsIp9 29 checkip.dyndns.org 20->29 31 172.67.188.154, 443, 49741 CLOUDFLARENETUS United States 20->31 33 3 other IPs or domains 20->33 49 Tries to steal Mail credentials (via file access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 27 C:\Users\user\AppData\...\Invoice SMI7271.vbs, ASCII 24->27 dropped file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d38ae3a0b46004f53c8544937d735621d53ccf2a7bdd13b3ce0944446e214a2e/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 10:35:04 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ofohifumacpkpefisjx242wehktztzkpporhm6obfcei3rbjixa._file
Verdict:
suspicious
Similar samples:
0a1ca91d04ec61da5e293f32d26ea3895d35575f1be5f699018ed683e9b097f1
Matiex
15de86087381df23faff003d4d1f7e5fb361ef730c28226405842fba3845af1f
Matiex
2a00c8f1e74ad67fbd46cb64e3af0cbe77f56f99b7b2f8856703d4a0e2bfa7da
Matiex
43e8641205d2a76869199f8b5cf7cbba0533aee5b84c4ccd786ed32f79c9e01c
Matiex
71db72fdf67af76d080be2a30e8492469b63a48023286aa72ed83a322b45bfe1
Matiex
9046f8e610dafdb143af6df2671631a2750661ca24165d6e093bdb5b6ae86f9f
Matiex
b43942a6c8b89e2696abecd55fc787b54c53ae4fb89c7784b4c54cc5e99c30ef
Matiex
c66b164cb1120ffc2e7cf33e6aae762ff03e95902a7ec0066c70b3014edf8a37
Matiex
de994d2a0ac73be4a08f1c7420733908d4f1373ea7df5d45935b20e4904b5da7
Matiex
f2c8e60f6dea2f01ded10eed11783cd5173650bbc6e14d8ec891f441fea26b42
Matiex
+ 1'930 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
upx stealer keylogger family:matiex spyware
Link:
https://tria.ge/reports/201005-77r62tfh4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
d38ae3a0b46004f53c8544937d735621d53ccf2a7bdd13b3ce0944446e214a2e
MD5 hash:
f30f40503d6c95a46049571af77ca858
SHA1 hash:
83fa8f78e5acbf446231acc1779ab2fa095d8767
Link:
https://www.unpac.me/results/f84bd22a-001a-46a2-bc19-27d3d466efa7/
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/f84bd22a-001a-46a2-bc19-27d3d466efa7/
SH256 hash:
5d37a70cc62e813def2faae64bead32ed1691ae20f39fd28aee1bfef8f4b9733
MD5 hash:
d3a30fb29dcf6f70c6c1673540892913
SHA1 hash:
f4f027b30b4c86eb29d8515fbf8138208f9e0134
Link:
https://www.unpac.me/results/f84bd22a-001a-46a2-bc19-27d3d466efa7/
SH256 hash:
d5443e90cffba551c84a56f2d706cced9f09881ffdd72aa11efed04666928baf
MD5 hash:
e94ffcd5a8e4174f6589539a7d8683a9
SHA1 hash:
069f1cbfdac58f3a00204e59b6273d1fcfab8d7e
Link:
https://www.unpac.me/results/f84bd22a-001a-46a2-bc19-27d3d466efa7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d38ae3a0b46004f53c8544937d735621d53ccf2a7bdd13b3ce0944446e214a2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

rar 40cadfa1251e806a31e1e4417031337b837714dccb72736491dcba72fb5a129c

Matiex

Executable exe d38ae3a0b46004f53c8544937d735621d53ccf2a7bdd13b3ce0944446e214a2e

(this sample)

  
Dropped by
MD5 2d1f592dbc673e1a6eeaa044659da919
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68136/
  
Dropped by
SHA256 40cadfa1251e806a31e1e4417031337b837714dccb72736491dcba72fb5a129c

Comments