SYMBOLCOMMON_NAMEaka. SYNONYMS
win.matanbuchus (Back to overview)

Matanbuchus


According to PCrisk, Matanbuchus is a loader-type malicious program offered by its developers as Malware-as-a-Service (MaaS). This piece of software is designed to cause chain infections.

Since it is used as a MaaS, both the malware it infiltrates into systems, and the attack reasons can vary - depending on the cyber criminals operating it. Matanbuchus has been observed being used in attacks against US universities and high schools, as well as a Belgian high-tech organization.

References
2022-12-05CybereasonKotaro Ogino, Ralph Villanueva, Robin Plumer
@online{ogino:20221205:threat:b2ffad4, author = {Kotaro Ogino and Ralph Villanueva and Robin Plumer}, title = {{Threat Analysis: MSI - Masquerading as a Software Installer}}, date = {2022-12-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer}, language = {English}, urldate = {2022-12-05} } Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot
2022-06-23cybleCyble Research Labs
@online{labs:20220623:matanbuchus:45ed604, author = {Cyble Research Labs}, title = {{Matanbuchus Loader Resurfaces}}, date = {2022-06-23}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/}, language = {English}, urldate = {2022-08-15} } Matanbuchus Loader Resurfaces
Cobalt Strike Matanbuchus
2022-06-19OALabsSergei Frankoff
@online{frankoff:20220619:matanbuchus:0a0a9dc, author = {Sergei Frankoff}, title = {{Matanbuchus Triage Notes}}, date = {2022-06-19}, organization = {OALabs}, url = {https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html}, language = {English}, urldate = {2022-06-27} } Matanbuchus Triage Notes
Matanbuchus
2022-06-17SANS ISCBrad Duncan
@online{duncan:20220617:malspam:25c76a4, author = {Brad Duncan}, title = {{Malspam pushes Matanbuchus malware, leads to Cobalt Strike}}, date = {2022-06-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28752}, language = {English}, urldate = {2022-06-22} } Malspam pushes Matanbuchus malware, leads to Cobalt Strike
Cobalt Strike Matanbuchus
2022-05-23DCSOJohann Aydinbas, Colin Murphy
@online{aydinbas:20220523:deal:00dc16f, author = {Johann Aydinbas and Colin Murphy}, title = {{A deal with the devil: Analysis of a recent Matanbuchus sample}}, date = {2022-05-23}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a}, language = {English}, urldate = {2022-05-24} } A deal with the devil: Analysis of a recent Matanbuchus sample
Matanbuchus
2022-05-22R136a1Dominik Reichel
@online{reichel:20220522:introduction:47edade, author = {Dominik Reichel}, title = {{Introduction of a PE file extractor for various situations}}, date = {2022-05-22}, organization = {R136a1}, url = {https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/}, language = {English}, urldate = {2022-06-02} } Introduction of a PE file extractor for various situations
Cobalt Strike Matanbuchus
2022-02-150ffset BlogChuong Dong
@online{dong:20220215:matanbuchus:cd8acc2, author = {Chuong Dong}, title = {{MATANBUCHUS: Another Loader As A Service Malware}}, date = {2022-02-15}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/}, language = {English}, urldate = {2022-02-17} } MATANBUCHUS: Another Loader As A Service Malware
Matanbuchus
2021-06-16Palo Alto Networks Unit 42Jeff White, Kyle Wilhoit
@online{white:20210616:matanbuchus:e514a4b, author = {Jeff White and Kyle Wilhoit}, title = {{Matanbuchus: Malware-as-a-Service with Demonic Intentions}}, date = {2021-06-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/}, language = {English}, urldate = {2021-06-21} } Matanbuchus: Malware-as-a-Service with Demonic Intentions
Matanbuchus BelialDemon
Yara Rules
[TLP:WHITE] win_matanbuchus_auto (20230715 | Detects win.matanbuchus.)
rule win_matanbuchus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.matanbuchus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3b55e0 750f 8b45f8 8b4ddc 0fb71441 }
            // n = 5, score = 400
            //   3b55e0               | cmp                 edx, dword ptr [ebp - 0x20]
            //   750f                 | jne                 0x11
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   0fb71441             | movzx               edx, word ptr [ecx + eax*2]

        $sequence_1 = { 8d95b8feffff 52 8b45fc 0345ec 50 }
            // n = 5, score = 400
            //   8d95b8feffff         | lea                 edx, [ebp - 0x148]
            //   52                   | push                edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0345ec               | add                 eax, dword ptr [ebp - 0x14]
            //   50                   | push                eax

        $sequence_2 = { 668b4d0c 66894df4 837d0800 0f8401010000 8b5508 8b423c }
            // n = 6, score = 400
            //   668b4d0c             | mov                 cx, word ptr [ebp + 0xc]
            //   66894df4             | mov                 word ptr [ebp - 0xc], cx
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   0f8401010000         | je                  0x107
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b423c               | mov                 eax, dword ptr [edx + 0x3c]

        $sequence_3 = { 8b450c 50 8b4d08 51 683afd800e }
            // n = 5, score = 400
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   683afd800e           | push                0xe80fd3a

        $sequence_4 = { 8955ec 0fb745fc 8b4dd8 668b1441 668955f8 }
            // n = 5, score = 400
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   0fb745fc             | movzx               eax, word ptr [ebp - 4]
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   668b1441             | mov                 dx, word ptr [ecx + eax*2]
            //   668955f8             | mov                 word ptr [ebp - 8], dx

        $sequence_5 = { 833d????????00 7517 8b450c 50 8b4d08 51 68a48c9471 }
            // n = 7, score = 400
            //   833d????????00       |                     
            //   7517                 | jne                 0x19
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   68a48c9471           | push                0x71948ca4

        $sequence_6 = { 837df000 7424 8b4df8 8a11 8855ff }
            // n = 5, score = 400
            //   837df000             | cmp                 dword ptr [ebp - 0x10], 0
            //   7424                 | je                  0x26
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8a11                 | mov                 dl, byte ptr [ecx]
            //   8855ff               | mov                 byte ptr [ebp - 1], dl

        $sequence_7 = { 51 8b55f0 52 6b45f828 8b4dfc 038c0534fdffff }
            // n = 6, score = 400
            //   51                   | push                ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   52                   | push                edx
            //   6b45f828             | imul                eax, dword ptr [ebp - 8], 0x28
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   038c0534fdffff       | add                 ecx, dword ptr [ebp + eax - 0x2cc]

        $sequence_8 = { 8955ec 0fb745fc 8b4dd8 668b1441 668955f8 eb0f }
            // n = 6, score = 400
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   0fb745fc             | movzx               eax, word ptr [ebp - 4]
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   668b1441             | mov                 dx, word ptr [ecx + eax*2]
            //   668955f8             | mov                 word ptr [ebp - 8], dx
            //   eb0f                 | jmp                 0x11

        $sequence_9 = { 8b550c 3b55e0 750f 8b45f8 }
            // n = 4, score = 400
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   3b55e0               | cmp                 edx, dword ptr [ebp - 0x20]
            //   750f                 | jne                 0x11
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

    condition:
        7 of them and filesize < 2056192
}
Download all Yara Rules