Edit tour
Windows
Analysis Report
file.dll
Overview
General Information
Detection
Matanbuchus
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Matanbuchus
AI detected suspicious sample
Uses known network protocols on non-standard ports
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- loaddll32.exe (PID: 2876 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\fil e.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 6448 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6932 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\fil e.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 4040 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",#1 MD5: 889B99C52A60DD49227C5E485A016679) - MpCmdRun.exe (PID: 5996 cmdline:
"C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: B3676839B2EE96983F9ED735CD044159) - conhost.exe (PID: 1020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 6936 cmdline:
rundll32.e xe C:\User s\user\Des ktop\file. dll,CheckL icense MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7328 cmdline:
rundll32.e xe C:\User s\user\Des ktop\file. dll,DllIni t MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7404 cmdline:
rundll32.e xe C:\User s\user\Des ktop\file. dll,DllIns tall MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7504 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",Chec kLicense MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7512 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",DllI nit MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7520 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",DllI nstall MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7536 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",curl _easy_seto pt MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7552 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",curl _easy_perf orm MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7568 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",curl _easy_init MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7588 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",curl _easy_clea nup MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 7820 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 588 -s 608 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 7600 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",Unin itialize MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7620 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",Thre adFunction MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7632 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",Main MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7692 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",Init Dll MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7732 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",Init MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7752 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",DllU ninitializ e MD5: 889B99C52A60DD49227C5E485A016679)
- regsvr32.exe (PID: 7968 cmdline:
C:\Windows \System32\ regsvr32.e xe -e -n - i:"C:\User s\user\8f0 8\user-PC\ user-PC.oc x" "C:\Use rs\user\8f 08\user-PC \user-PC.o cx" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - regsvr32.exe (PID: 7984 cmdline:
-e -n -i: "C:\Users\ user\8f08\ user-PC\us er-PC.ocx" "C:\Users \user\8f08 \user-PC\u ser-PC.ocx " MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Matanbuchus | According to PCrisk, Matanbuchus is a loader-type malicious program offered by its developers as Malware-as-a-Service (MaaS). This piece of software is designed to cause chain infections.Since it is used as a MaaS, both the malware it infiltrates into systems, and the attack reasons can vary - depending on the cyber criminals operating it. Matanbuchus has been observed being used in attacks against US universities and high schools, as well as a Belgian high-tech organization. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Matanbuchus | Yara detected Matanbuchus | Joe Security | ||
Windows_Trojan_Matanbuchus_58a61aaa | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Matanbuchus_58a61aaa | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Matanbuchus | Yara detected Matanbuchus | Joe Security | ||
Windows_Trojan_Matanbuchus_58a61aaa | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Matanbuchus | Yara detected Matanbuchus | Joe Security | ||
Windows_Trojan_Matanbuchus_4ce9affb | unknown | unknown |
| |
Windows_Trojan_Matanbuchus_58a61aaa | unknown | unknown |
| |
JoeSecurity_Matanbuchus | Yara detected Matanbuchus | Joe Security | ||
Windows_Trojan_Matanbuchus_4ce9affb | unknown | unknown |
| |
Click to see the 16 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Matanbuchus | Yara detected Matanbuchus | Joe Security | ||
Windows_Trojan_Matanbuchus_58a61aaa | unknown | unknown |
| |
JoeSecurity_Matanbuchus | Yara detected Matanbuchus | Joe Security | ||
Windows_Trojan_Matanbuchus_58a61aaa | unknown | unknown |
| |
JoeSecurity_Matanbuchus | Yara detected Matanbuchus | Joe Security | ||
Click to see the 25 entries |
System Summary |
---|
Source: | Author: Dmitriy Lifanov, oscd.community: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-06T13:25:27.299380+0200 | 2034468 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49763 | 193.109.85.31 | 54801 | TCP |
2024-10-06T13:27:45.270526+0200 | 2034468 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49994 | 193.109.85.31 | 54801 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 14_2_7F3B4560 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |