SYMBOLCOMMON_NAMEaka. SYNONYMS
win.matanbuchus (Back to overview)

Matanbuchus

There is no description at this point.

References
2022-12-05CybereasonKotaro Ogino, Ralph Villanueva, Robin Plumer
@online{ogino:20221205:threat:b2ffad4, author = {Kotaro Ogino and Ralph Villanueva and Robin Plumer}, title = {{Threat Analysis: MSI - Masquerading as a Software Installer}}, date = {2022-12-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer}, language = {English}, urldate = {2022-12-05} } Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot
2022-06-23cybleCyble Research Labs
@online{labs:20220623:matanbuchus:45ed604, author = {Cyble Research Labs}, title = {{Matanbuchus Loader Resurfaces}}, date = {2022-06-23}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/}, language = {English}, urldate = {2022-08-15} } Matanbuchus Loader Resurfaces
Cobalt Strike Matanbuchus
2022-06-19OALabsSergei Frankoff
@online{frankoff:20220619:matanbuchus:0a0a9dc, author = {Sergei Frankoff}, title = {{Matanbuchus Triage Notes}}, date = {2022-06-19}, organization = {OALabs}, url = {https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html}, language = {English}, urldate = {2022-06-27} } Matanbuchus Triage Notes
Matanbuchus
2022-06-17SANS ISCBrad Duncan
@online{duncan:20220617:malspam:25c76a4, author = {Brad Duncan}, title = {{Malspam pushes Matanbuchus malware, leads to Cobalt Strike}}, date = {2022-06-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28752}, language = {English}, urldate = {2022-06-22} } Malspam pushes Matanbuchus malware, leads to Cobalt Strike
Cobalt Strike Matanbuchus
2022-05-23DCSOJohann Aydinbas, Colin Murphy
@online{aydinbas:20220523:deal:00dc16f, author = {Johann Aydinbas and Colin Murphy}, title = {{A deal with the devil: Analysis of a recent Matanbuchus sample}}, date = {2022-05-23}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a}, language = {English}, urldate = {2022-05-24} } A deal with the devil: Analysis of a recent Matanbuchus sample
Matanbuchus
2022-05-22R136a1Dominik Reichel
@online{reichel:20220522:introduction:47edade, author = {Dominik Reichel}, title = {{Introduction of a PE file extractor for various situations}}, date = {2022-05-22}, organization = {R136a1}, url = {https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/}, language = {English}, urldate = {2022-06-02} } Introduction of a PE file extractor for various situations
Cobalt Strike Matanbuchus
2022-02-150ffset BlogChuong Dong
@online{dong:20220215:matanbuchus:cd8acc2, author = {Chuong Dong}, title = {{MATANBUCHUS: Another Loader As A Service Malware}}, date = {2022-02-15}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/}, language = {English}, urldate = {2022-02-17} } MATANBUCHUS: Another Loader As A Service Malware
Matanbuchus
2021-06-16Palo Alto Networks Unit 42Jeff White, Kyle Wilhoit
@online{white:20210616:matanbuchus:e514a4b, author = {Jeff White and Kyle Wilhoit}, title = {{Matanbuchus: Malware-as-a-Service with Demonic Intentions}}, date = {2021-06-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/}, language = {English}, urldate = {2021-06-21} } Matanbuchus: Malware-as-a-Service with Demonic Intentions
Matanbuchus BelialDemon
Yara Rules
[TLP:WHITE] win_matanbuchus_auto (20230125 | Detects win.matanbuchus.)
rule win_matanbuchus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.matanbuchus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7507 33c0 e9???????? 8b4d08 034de4 894df4 8b55f4 }
            // n = 7, score = 400
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034de4               | add                 ecx, dword ptr [ebp - 0x1c]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_1 = { 8b55f8 8b45e8 8b4dfc 030c90 894de4 8b5514 52 }
            // n = 7, score = 400
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   030c90               | add                 ecx, dword ptr [eax + edx*4]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   52                   | push                edx

        $sequence_2 = { c1e010 3345f8 8945f8 b901000000 c1e100 8b55ec 0fb6040a }
            // n = 7, score = 400
            //   c1e010               | shl                 eax, 0x10
            //   3345f8               | xor                 eax, dword ptr [ebp - 8]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   b901000000           | mov                 ecx, 1
            //   c1e100               | shl                 ecx, 0
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   0fb6040a             | movzx               eax, byte ptr [edx + ecx]

        $sequence_3 = { 8945e8 837de801 743d 837de802 741f 837de803 }
            // n = 6, score = 400
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   837de801             | cmp                 dword ptr [ebp - 0x18], 1
            //   743d                 | je                  0x3f
            //   837de802             | cmp                 dword ptr [ebp - 0x18], 2
            //   741f                 | je                  0x21
            //   837de803             | cmp                 dword ptr [ebp - 0x18], 3

        $sequence_4 = { 8b45ec 0fb60c10 334df8 894df8 6955f895e9d15b }
            // n = 5, score = 400
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   0fb60c10             | movzx               ecx, byte ptr [eax + edx]
            //   334df8               | xor                 ecx, dword ptr [ebp - 8]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   6955f895e9d15b       | imul                edx, dword ptr [ebp - 8], 0x5bd1e995

        $sequence_5 = { 894dfc eb2d ba01000000 6bc200 }
            // n = 4, score = 400
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   eb2d                 | jmp                 0x2f
            //   ba01000000           | mov                 edx, 1
            //   6bc200               | imul                eax, edx, 0

        $sequence_6 = { 8955fc 8b45fc 3345f8 8945fc 694df095e9d15b }
            // n = 5, score = 400
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   3345f8               | xor                 eax, dword ptr [ebp - 8]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   694df095e9d15b       | imul                ecx, dword ptr [ebp - 0x10], 0x5bd1e995

        $sequence_7 = { 8945d0 0fb74df4 0fb755f8 8b45f0 035010 3bca 7417 }
            // n = 7, score = 400
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   0fb74df4             | movzx               ecx, word ptr [ebp - 0xc]
            //   0fb755f8             | movzx               edx, word ptr [ebp - 8]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   035010               | add                 edx, dword ptr [eax + 0x10]
            //   3bca                 | cmp                 ecx, edx
            //   7417                 | je                  0x19

        $sequence_8 = { 8b4d08 894dec 8b5510 8955fc 837d0c04 }
            // n = 5, score = 400
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   837d0c04             | cmp                 dword ptr [ebp + 0xc], 4

        $sequence_9 = { e8???????? 8bc8 8b4514 8b5518 e8???????? }
            // n = 5, score = 400
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 2056192
}
Download all Yara Rules