matanbuchus | 8140ac01ec377af7788eddd79d665d5000b34e7d064499b96c9d540582b28913

Analysis

Target

Yukoste3.ocx.dll
Size

522KB
MD5

67d5dfcde8225a0cdf760d833ca44387
SHA1

9db7b3f5c7cff58d8a06f2f4cc82d9f7339f49e1
SHA256

8140ac01ec377af7788eddd79d665d5000b34e7d064499b96c9d540582b28913
SHA512

1436c7b1b3168c93d185d86ed375ce8cd45a77c3135a27f68cb8b0aa7cf06a5ba7e05c688d2602d3bba2e73f811c13ab222f37d5fd4df4ad78561d35048e3fb8

Score

10^/10

Family

matanbuchus

https://belialq449663.at/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml

https://belialw869367.at/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml

https://beliale232634.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml

https://belialr878539.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml

https://belialp632298.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

428 2544 WerFault.exe rundll32.exe

pid	pid_target	process	target process
428	2544	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 428 WerFault.exe
Token: SeBackupPrivilege 428 WerFault.exe
Token: SeDebugPrivilege 428 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2444 wrote to memory of 2544	2444	rundll32.exe	rundll32.exe
PID 2444 wrote to memory of 2544	2444	rundll32.exe	rundll32.exe
PID 2444 wrote to memory of 2544	2444	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Yukoste3.ocx.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Yukoste3.ocx.dll,#1
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 688
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:428

memory/2544-115-0x0000000000000000-mapping.dmp

Download
memory/2544-116-0x0000000003F00000-0x0000000003F86000-memory.dmp

Filesize
536KB

Download
memory/2544-117-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/2544-118-0x0000000004450000-0x000000000446E000-memory.dmp

Filesize
120KB

Download
memory/2544-119-0x0000000004450000-0x000000000446E000-memory.dmp

Filesize
120KB

Download
memory/2544-120-0x0000000004410000-0x000000000442F000-memory.dmp

Filesize
124KB

Download
memory/2544-121-0x0000000004450000-0x000000000446E000-memory.dmp

Filesize
120KB

Download