MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e140b93dc9a3f14835fd0c76c6be9770990e090d9952e62a6120d94a251aa2cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e140b93dc9a3f14835fd0c76c6be9770990e090d9952e62a6120d94a251aa2cd
SHA3-384 hash: f3190f2a0c7eda255aebd49675ec299d340b2ed56e4bb00f7008082725d81900bd8456fc663bff64fffc2079ee88fa97
SHA1 hash: 7496b7d27a08f19e1ed388f4899201f662427776
MD5 hash: bb846e7bc2a28d3b9c7ecf1850905358
humanhash: winner-crazy-mountain-mango
File name:List Of Orders.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:759'296 bytes
First seen:2020-11-18 12:57:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:LkPAtljnZUogt/bt8LFUcc6+qHfRR2Yuf/mN13INZqeNHHy+efJEVMcbmu54wR:P8/x8J+q/GYunmNtKg4y+eh2OwR
Threatray 15 similar samples on MalwareBazaar
TLSH 0CF4E0312576BF92D6BE4BF4C161A4450FF9A62B642CE79C1CD604DE25B1F084E02EBB
Reporter abuse_ch
Tags:exe Matiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader35.51022.13476.3732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
Setting a global event handler for the keyboard
Result
Gathering data
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/541069
Signature
Initial sample is a PE file and has a suspicious name
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM_3
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e140b93dc9a3f14835fd0c76c6be9770990e090d9952e62a6120d94a251aa2cd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 22:42:40 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4falspojupyuqnp5br3mnpuxocmq4cintfjomktbedmuuji2ulgq._file
Verdict:
unknown
Similar samples:
1cf6a36e578cec30303b5daf5c545e6b139419c99f2771bf40179bb45756e92b
Matiex
29606f35cd9ea80936304ef255b1962b8ba4e20a97e40cadabb37da6785c0ff9
Matiex
5ec7724e2cc07b72b1603c662b12c0c87e94e37a8d4dc093de1723c6c9ec327b
Matiex
685222a6d5d41bc23a1e4637ab8c3ed19d6075faaab2730d0f8599a24cd1c0a2
Matiex
7364ac8ee7f693d8b81815103c39f2d92b018b511aa17918282954dbce451478
Matiex
786f93f0f40176b4719fef2038c6f1f87ae6aee5d2293fcd03fbf52679cb75d6
Matiex
96036d8808f95f6746d1d95dc3f157b5b7b4224cc5d01b15162ce7f048d81be7
Matiex
ca3cc0fc804c69584801fc33a39effafb6b2a747f4ef0958348cc13eaa2c5e3f
Matiex
ce431d943b7df67690c0c89d1556a8d9ca222a78568d56c8c3aeaccc74f40fd4
Matiex
e97151ce51e9463bd45ad41571141614fc0ffc8a8cbf2c74f36c20028a769f41
Matiex
+ 5 additional samples on MalwareBazaar
Result
Malware family:
matiex
Create hunting rule
Score:
  10/10
Tags:
family:matiex keylogger persistence spyware stealer
Link:
https://tria.ge/reports/201118-w7lvs3fzax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Matiex
Matiex Main Payload
Unpacked files
SH256 hash:
e140b93dc9a3f14835fd0c76c6be9770990e090d9952e62a6120d94a251aa2cd
MD5 hash:
bb846e7bc2a28d3b9c7ecf1850905358
SHA1 hash:
7496b7d27a08f19e1ed388f4899201f662427776
Link:
https://www.unpac.me/results/965ebb0a-3524-40ac-9db0-a1e27ebe7f5b/
SH256 hash:
61025c1f1316c52d83bac9e50175df9d4b62a4e748739fb1bf2af55d3a608813
MD5 hash:
750975ff96935e261afa9888a8d3d1a1
SHA1 hash:
2dccaa81654c6a13541681c0726e62c57cd3bdf4
Link:
https://www.unpac.me/results/965ebb0a-3524-40ac-9db0-a1e27ebe7f5b/
SH256 hash:
c1667fa6f6d37044c403c17010f36efc7e08d47ac2fb36a36b3c7e700eb97d81
MD5 hash:
eebb807f8a5a2d47c89648e4fb907f89
SHA1 hash:
35e8cbe02f0ce21492333604056e15bdbc923227
Link:
https://www.unpac.me/results/965ebb0a-3524-40ac-9db0-a1e27ebe7f5b/
SH256 hash:
c570aeb993822b6eb48dc2a47eae82bc36eb3d5378a377de0cf9d5afd0aa9f25
MD5 hash:
27ba9f74a0d79d40b4324aa5cdc5a3db
SHA1 hash:
7064f4d0cfcebdac6465ee8ab2eb2299dfe52e36
Link:
https://www.unpac.me/results/965ebb0a-3524-40ac-9db0-a1e27ebe7f5b/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/965ebb0a-3524-40ac-9db0-a1e27ebe7f5b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:win_matiex_keylogger_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

Executable exe e140b93dc9a3f14835fd0c76c6be9770990e090d9952e62a6120d94a251aa2cd

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments