MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd182afe8c89ecfb8d2d449f5e700d7ac09b979315238abf0cee1cdd65d6c27f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd182afe8c89ecfb8d2d449f5e700d7ac09b979315238abf0cee1cdd65d6c27f
SHA3-384 hash: 0907b32817bd842ddb0188f1b0fda9f391bfcce347d2d8b3e8c1be5e6964372fb282a0de4dd0f58e956abd7077f7deb8
SHA1 hash: ba4daabff9037990d45c4cfafe4690a7fe2ddbfb
MD5 hash: 4107bb08f0c20c1bafd7839f1bf77a8b
humanhash: alaska-carpet-helium-crazy
File name:Products Details and Order reference.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:605'184 bytes
First seen:2021-10-07 04:37:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:rg3skoToRsOSeKceND8d5ycLnEahIdL1uSmcJ3aaMGZU+:c3skCtOjKc+7TahIdQStJ3aaMGZU+
Threatray 370 similar samples on MalwareBazaar
TLSH T16ED412A513778658ED368BF85C30A1D2137A6821205AC7781FD8F0F97B637B98ED0A53
Reporter GovCERT_CH
Tags:exe Matiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab.exe
Verdict:
Malicious activity
Analysis date:
2021-10-07 02:04:05 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/f0f44411-af6c-4bcc-a303-45571e75dd24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195589/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615e79acb95458900cddc731/reports/fd6f5b49-0aaf-4ad1-860f-e63698fdaee0/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/993a148f-054a-4d34-aa8e-fde61f109433
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866005
Signature
Creates executable files without a name
Drops PE files to the user root directory
Found malware configuration
Initial sample is a PE file and has a suspicious name
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Matiex Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498429 Sample: Products Details and Order ... Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 87 Found malware configuration 2->87 89 Sigma detected: Capture Wi-Fi password 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 13 other signatures 2->93 11 Products Details and Order reference.exe 7 2->11         started        14 .exe 5 2->14         started        process3 file4 65 C:\Users\user\AppData\...\UKEBHvwzzTPD.exe, PE32 11->65 dropped 67 C:\Users\user\AppData\Local\...\tmp15FD.tmp, XML 11->67 dropped 69 Products Details a...r reference.exe.log, ASCII 11->69 dropped 17 Products Details and Order reference.exe 16 5 11->17         started        22 schtasks.exe 1 11->22         started        103 Multi AV Scanner detection for dropped file 14->103 105 May check the online IP address of the machine 14->105 24 .exe 15 2 14->24         started        26 schtasks.exe 1 14->26         started        28 .exe 14->28         started        signatures5 process6 dnsIp7 71 checkip.dyndns.com 158.101.44.242, 49749, 49846, 80 ORACLE-BMC-31898US United States 17->71 73 mail.thts.vn 115.146.127.14, 25, 49765, 49803 CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN Viet Nam 17->73 79 2 other IPs or domains 17->79 59 C:\Users\user\.exe, PE32 17->59 dropped 61 C:\Users\user\AppData\Roaming\...\.url, MS 17->61 dropped 63 C:\Users\user\.exe:Zone.Identifier, ASCII 17->63 dropped 95 Tries to steal Mail credentials (via file access) 17->95 97 Creates executable files without a name 17->97 99 Tries to harvest and steal ftp login credentials 17->99 101 2 other signatures 17->101 30 netsh.exe 3 17->30         started        32 conhost.exe 22->32         started        75 132.226.247.73, 49806, 80 UTMEMUS United States 24->75 77 checkip.dyndns.org 24->77 34 cmd.exe 24->34         started        36 conhost.exe 26->36         started        file8 signatures9 process10 process11 38 conhost.exe 30->38         started        40 ComputerDefaults.exe 34->40         started        42 conhost.exe 34->42         started        44 ComputerDefaults.exe 34->44         started        46 ComputerDefaults.exe 34->46         started        process12 48 .exe 40->48         started        process13 50 .exe 48->50         started        53 schtasks.exe 48->53         started        dnsIp14 81 104.21.19.200, 443, 49847, 49848 CLOUDFLARENETUS United States 50->81 83 freegeoip.app 50->83 85 2 other IPs or domains 50->85 55 WerFault.exe 50->55         started        57 conhost.exe 53->57         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd182afe8c89ecfb8d2d449f5e700d7ac09b979315238abf0cee1cdd65d6c27f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 04:00:49 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3umcv7umrhwpxdjnispv44anplajxf4tcuryvpym5yon2zowyj7q._file
Verdict:
malicious
Similar samples:
2a110d7e364ad29a87c03c0418154c360c3be3f473fe0434656908d954e6bdd3
Matiex
488ce79d6a67c9797c3ecb2dcdeea8d3501de214ffd7dd172b7f85fddaf4b58c
Matiex
606d71ee2279fa142144bfddb518aa863ad5b1bc0c07c03ea87f14ee5123f4f1
Matiex
6b7afa4ba43a383c37bd7a265fb401be83482f7682cd2f6fd1ee733a38314092
Matiex
80d785f64f10760466e0023c19846dbae749aac11be0433e17f7c703b220b433
Matiex
9aa1053947dcfe0286c6ead693deaa6ec9d911cd15d8caab63a49dcfe9e713a5
Matiex
a6c1e44de59c65df02ffd162f73db244173679bfdd4e8164bada4cc55ac596c7
Matiex
c0585059351b60144ee6c5dc0a5f9cc119ba56eb7f817761db36158beb22df2e
Matiex
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
Matiex
e3f3ed02da22278148950fd72bda0a410d5fd60e56975507da774f392ff099a1
Matiex
+ 360 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
family:matiex keylogger stealer
Link:
https://tria.ge/reports/211007-e9dtzabgh6/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
29478fa38e988359b85f0c8b918ca3438d0d4c0156fc389e0d9800eab4e8c6ad
MD5 hash:
48039260b20ec8639b9cb6d1a36534ca
SHA1 hash:
99085f80aad72eeb2e6cadce24b6b3d55593ad6d
Link:
https://www.unpac.me/results/2f756e4a-1f26-4668-bb63-baf97d470750/
SH256 hash:
ccfd1b574d50e577799f933f32f22404e1cdc932df22a113413ed0bc940517bd
MD5 hash:
6530db093ec699a3eb6e22c343f67f5e
SHA1 hash:
8a2e53ceb2eeb0ba60ab662c58a517a52521ff7d
Link:
https://www.unpac.me/results/2f756e4a-1f26-4668-bb63-baf97d470750/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/2f756e4a-1f26-4668-bb63-baf97d470750/
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/2f756e4a-1f26-4668-bb63-baf97d470750/
SH256 hash:
dd182afe8c89ecfb8d2d449f5e700d7ac09b979315238abf0cee1cdd65d6c27f
MD5 hash:
4107bb08f0c20c1bafd7839f1bf77a8b
SHA1 hash:
ba4daabff9037990d45c4cfafe4690a7fe2ddbfb
Link:
https://www.unpac.me/results/2f756e4a-1f26-4668-bb63-baf97d470750/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dd182afe8c89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd182afe8c89ecfb8d2d449f5e700d7ac09b979315238abf0cee1cdd65d6c27f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:MALWARE_Win_Matiex
Create hunting rule
Author:ditekSHen
Description:Matiex/XetimaLogger keylogger payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

Executable exe dd182afe8c89ecfb8d2d449f5e700d7ac09b979315238abf0cee1cdd65d6c27f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/195589/

Comments