MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc1ca8b0fe8eab2d98c0f0e7ad37108f836fff77b50e393cf5dee61b7e4e6eb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matiex


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc1ca8b0fe8eab2d98c0f0e7ad37108f836fff77b50e393cf5dee61b7e4e6eb0
SHA3-384 hash: f2cae29742753b8e8b9c82ca6c12ca6dac89448f01ff600737c24b037dec98728da2a4748e6c9eb55ab188e6cfd3979b
SHA1 hash: 2c02034a6d91d9e2b21504a4bec82ec36d7bdd5d
MD5 hash: e34037661a1608c722e5264797b2eecf
humanhash: autumn-florida-ten-east
File name:PO.exe
Download: download sample
Signature Matiex
Create hunting rule
File size:1'680'696 bytes
First seen:2020-08-05 09:10:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:YbuGgbF4U1te7rQqtvJ97fVHAY0NFjVI0QWDYgpl8:Y5pJ97SHmPql8
Threatray 31 similar samples on MalwareBazaar
TLSH 00757D50384030AFF69B44F196EBA6E8A2E235251A3127395C13757CC96E2977CDF8B3
Reporter abuse_ch
Tags:exe Matiex


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: [103.140.250.133]
Sending IP: 103.140.250.133
From: Lu Thai Textile Co Ltd <Noortext.mills@hotmail.com>
Reply-To: Noortext.mills@hotmail.com
Subject: NEW PO.
Attachment: PO.rar (contains "PO.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39302/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a window
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Enabling autorun
Enabling autorun by creating a file
Result
Threat name:
Matiex
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/410735
Signature
.NET source code references suspicious native API functions
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Injects a PE file into a foreign processes
May check the online IP address of the machine
Tries to steal Mail credentials (via file access)
Yara detected Matiex Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257680 Sample: PO.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 72 46 mail.indiaflanges.com 2->46 48 checkip.dyndns.org 2->48 50 3 other IPs or domains 2->50 54 Yara detected Matiex Keylogger 2->54 56 .NET source code references suspicious native API functions 2->56 58 May check the online IP address of the machine 2->58 8 PO.exe 2 8 2->8         started        12 PO.exe 2->12         started        14 PO.exe 2->14         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\...\PO.exe, PE32 8->38 dropped 60 Creates an undocumented autostart registry key 8->60 62 Drops PE files to the startup folder 8->62 64 Injects a PE file into a foreign processes 8->64 16 PO.exe 8->16         started        20 powershell.exe 23 8->20         started        22 powershell.exe 25 8->22         started        24 11 other processes 8->24 signatures6 process7 dnsIp8 40 mail.indiaflanges.com 16->40 42 checkip.dyndns.org 16->42 44 4 other IPs or domains 16->44 52 Tries to steal Mail credentials (via file access) 16->52 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        36 8 other processes 24->36 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc1ca8b0fe8eab2d98c0f0e7ad37108f836fff77b50e393cf5dee61b7e4e6eb0/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 07:25:00 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qokrmh6r2vs3gga6dt22nyqr6bw773xwuhdsphv33tbw7son2ya._file
Verdict:
unknown
Similar samples:
0bf098aab2e2ec8613a4f819fb56f4cb8f55ba2f4e79274a9a799b59149d057b
Matiex
28e752ad86f8f53773bb2e147c1366f5e82b5a8fd2cd80af065decea2e11f694
Matiex
341621050c83b242a1779e5a88f4c6389b7efc1406d5e5ba8e7828a0d74fbb86
Matiex
55add5e5138bf35c9ef1a148b681358e4731131a72be0ebed59a28e7f7fd7eaf
Matiex
64c935f1295d858c75da3c49fa35d153d6d0b738576cde789b60a84d48d5b409
Matiex
8dd6f87188b0d6ab5739fd49c7247e7b60cdf4f16f482ed295632df80d82ab5f
Matiex
b0dd472a02ed67fe15e20e2faa6167d8c1e9d54c9f0abc95a255197bbf0c0264
Matiex
d7cc722f1aa4b96ed4250ccc11c364e36a03d524c09d6303fc686f595b24aa0b
Matiex
e88c90bd34759e75f02ca1b3413916e7e3bab94daa1fbb540cf87cb79000164c
Matiex
fbc9106506d47f39fddb3a48693e9b3eb80f400d6c273d1e08ecc7ef417f9352
Matiex
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200805-qle3g96fls/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Looks up external IP address via web service
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Drops startup file
Drops startup file
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Modifies WinLogon for persistence
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fc1ca8b0fe8eab2d98c0f0e7ad37108f836fff77b50e393cf5dee61b7e4e6eb0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

rar 0f888907403ebaee309e7927c72e5ebd6aca817209fd1a5a8ceaa0b028116fcd

Matiex

Executable exe fc1ca8b0fe8eab2d98c0f0e7ad37108f836fff77b50e393cf5dee61b7e4e6eb0

(this sample)

  
Dropped by
MD5 120e64a8a2f32751de5ac49daa0dcbd1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0f888907403ebaee309e7927c72e5ebd6aca817209fd1a5a8ceaa0b028116fcd
Cape
Cape
https://www.capesandbox.com/analysis/39302/

Comments