matanbuchus | 647230baf87469b45f90d441ec31b60acd021896a6d26a1cc223fc83d659812e

Analysis

Target

647230baf87469b45f90d441ec31b60acd021896a6d26a1cc223fc83d659812e.dll
Size

522KB
MD5

6db05064d40df7fcb691dc518ff16d8b
SHA1

e677bc818dcf532b225bcf2105f5b7a234eebb1a
SHA256

647230baf87469b45f90d441ec31b60acd021896a6d26a1cc223fc83d659812e
SHA512

6882a358f8caf744970a062f7a23cbb5c2182f285f299634dd26dc4f2e41ff8a93fdb00aac7caa577fe3140107e7c788c98d6741b34c8d2472f7f0846d705056

Score

10^/10

Family

matanbuchus

https://belialq449663.at/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml

https://belialw869367.at/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml

https://beliale232634.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml

https://belialr878539.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml

https://belialp632298.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1344 3988 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1344	3988	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1344 WerFault.exe
Token: SeBackupPrivilege 1344 WerFault.exe
Token: SeDebugPrivilege 1344 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3496 wrote to memory of 3988	3496	rundll32.exe	rundll32.exe
PID 3496 wrote to memory of 3988	3496	rundll32.exe	rundll32.exe
PID 3496 wrote to memory of 3988	3496	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\647230baf87469b45f90d441ec31b60acd021896a6d26a1cc223fc83d659812e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\647230baf87469b45f90d441ec31b60acd021896a6d26a1cc223fc83d659812e.dll,#1
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 692
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1344

memory/3988-118-0x0000000000000000-mapping.dmp

Download
memory/3988-119-0x0000000000C00000-0x0000000000D4A000-memory.dmp

Filesize
1.3MB

Download
memory/3988-121-0x0000000003290000-0x00000000032AE000-memory.dmp

Filesize
120KB

Download
memory/3988-120-0x0000000003290000-0x00000000032AE000-memory.dmp

Filesize
120KB

Download
memory/3988-123-0x0000000003290000-0x00000000032AE000-memory.dmp

Filesize
120KB

Download
memory/3988-122-0x0000000003250000-0x000000000326F000-memory.dmp

Filesize
124KB

Download