matanbuchus | 0198e1a422da21797f0763ac6a3783046d960fa884640ff23f60349647433ec2

Analysis

Target

0198e1a422da21797f0763ac6a3783046d960fa884640ff23f60349647433ec2.dll
Size

525KB
MD5

8a2148caf20abf6cf9f5d14fe757ece7
SHA1

0ea0f741547e308c34ab1bfe6b16cba3c2315938
SHA256

0198e1a422da21797f0763ac6a3783046d960fa884640ff23f60349647433ec2
SHA512

7930146c5f4a3f14aee971d6504b0ddf74c003ed819e6f87842074ca11f034a7770c16e40f97cb2c428430b9ea5761197650508754d134b5c55dac5515413447

Score

10^/10

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1844	1740	WerFault.exe	15

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 1740	3428	rundll32.exe	15
PID 3428 wrote to memory of 1740	3428	rundll32.exe	15
PID 3428 wrote to memory of 1740	3428	rundll32.exe	15

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0198e1a422da21797f0763ac6a3783046d960fa884640ff23f60349647433ec2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0198e1a422da21797f0763ac6a3783046d960fa884640ff23f60349647433ec2.dll,#1
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 664
    3⤵
    - Program crash
    PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1740 -ip 1740
1⤵
PID:2696

memory/1740-131-0x00000000005B0000-0x0000000000639000-memory.dmp

Filesize
548KB

Download
memory/1740-133-0x0000000002080000-0x00000000020A0000-memory.dmp

Filesize
128KB

Download
memory/1740-135-0x0000000002080000-0x00000000020A0000-memory.dmp

Filesize
128KB

Download
memory/1740-134-0x0000000000790000-0x00000000007AE000-memory.dmp

Filesize
120KB

Download
memory/1740-132-0x0000000002080000-0x00000000020A0000-memory.dmp

Filesize
128KB

Download