MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3d23bafecccf8c1282d7c7f561490061216edabbbdafde8dca65608ba28a8fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 6 File information Yara 1 Comments

SHA256 hash: e3d23bafecccf8c1282d7c7f561490061216edabbbdafde8dca65608ba28a8fc
SHA3-384 hash: 50292e5bff9b90d10cd580205621b6f12ed80af1801768dd5c23a1b8c61fd01336fe1f93f4c003894ef195fd88ab31f5
SHA1 hash: 435cbff7d1b6d0ad1a5992be3b658fa4c575bffd
MD5 hash: 829316dec0bd0d3ae1a0d7dba9aa96fe
humanhash: romeo-spring-early-twelve
File name:PO.exe
Download: download sample
Signature Matiex
File size:632'832 bytes
First seen:2020-07-31 12:17:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e94294aa486edca6180033051104c39
ssdeep 12288:g1i+/Z6i2pC138ktn6gCA4iFsrnTp1zPgcERsMbvE/ey8r0JLsVL:kNZopgQgY2O9IcERsMbvGLkt
TLSH 28D48EE2B6D05433C26F15F98C0B9764AB3AFE101A29148E2BF50C4F9FF968135F5196
Reporter @abuse_ch
Tags:exe Matiex


Twitter
@abuse_ch
Malspam distributing unidentified malware:

HELO: ismarine.com.tr
Sending IP: 62.232.216.219
From: Express ADG <EXPRESS_ADG@ismarine.com.tr>
Subject: Urgent Request for Invoice
Attachment: PO.z (contains "PO.exe")

Intelligence


File Origin
# of uploads :
1
# of downloads :
39
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
AgentTesla Matiex
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.DataStealer
Status:
Malicious
First seen:
2020-07-31 12:19:13 UTC
AV detection:
21 of 31 (67.74%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx spyware
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
UPX packed file
UPX packed file
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:win_matiex_keylogger_v1
Author:Johannes Bader @viql
Description:detects the Matiex Keylogger

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

Executable exe e3d23bafecccf8c1282d7c7f561490061216edabbbdafde8dca65608ba28a8fc

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments