SYMBOLCOMMON_NAMEaka. SYNONYMS
win.matanbuchus (Back to overview)

Matanbuchus

According to PCrisk, Matanbuchus is a loader-type malicious program offered by its developers as Malware-as-a-Service (MaaS). This piece of software is designed to cause chain infections.

Since it is used as a MaaS, both the malware it infiltrates into systems, and the attack reasons can vary - depending on the cyber criminals operating it. Matanbuchus has been observed being used in attacks against US universities and high schools, as well as a Belgian high-tech organization.

References
2022-12-05CybereasonKotaro Ogino, Ralph Villanueva, Robin Plumer
@online{ogino:20221205:threat:b2ffad4, author = {Kotaro Ogino and Ralph Villanueva and Robin Plumer}, title = {{Threat Analysis: MSI - Masquerading as a Software Installer}}, date = {2022-12-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer}, language = {English}, urldate = {2022-12-05} } Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot
2022-06-23cybleCyble Research Labs
@online{labs:20220623:matanbuchus:45ed604, author = {Cyble Research Labs}, title = {{Matanbuchus Loader Resurfaces}}, date = {2022-06-23}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/}, language = {English}, urldate = {2022-08-15} } Matanbuchus Loader Resurfaces
Cobalt Strike Matanbuchus
2022-06-19OALabsSergei Frankoff
@online{frankoff:20220619:matanbuchus:0a0a9dc, author = {Sergei Frankoff}, title = {{Matanbuchus Triage Notes}}, date = {2022-06-19}, organization = {OALabs}, url = {https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html}, language = {English}, urldate = {2022-06-27} } Matanbuchus Triage Notes
Matanbuchus
2022-06-17SANS ISCBrad Duncan
@online{duncan:20220617:malspam:25c76a4, author = {Brad Duncan}, title = {{Malspam pushes Matanbuchus malware, leads to Cobalt Strike}}, date = {2022-06-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28752}, language = {English}, urldate = {2022-06-22} } Malspam pushes Matanbuchus malware, leads to Cobalt Strike
Cobalt Strike Matanbuchus
2022-05-23DCSOJohann Aydinbas, Colin Murphy
@online{aydinbas:20220523:deal:00dc16f, author = {Johann Aydinbas and Colin Murphy}, title = {{A deal with the devil: Analysis of a recent Matanbuchus sample}}, date = {2022-05-23}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a}, language = {English}, urldate = {2022-05-24} } A deal with the devil: Analysis of a recent Matanbuchus sample
Matanbuchus
2022-05-22R136a1Dominik Reichel
@online{reichel:20220522:introduction:47edade, author = {Dominik Reichel}, title = {{Introduction of a PE file extractor for various situations}}, date = {2022-05-22}, organization = {R136a1}, url = {https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/}, language = {English}, urldate = {2022-06-02} } Introduction of a PE file extractor for various situations
Cobalt Strike Matanbuchus
2022-02-150ffset BlogChuong Dong
@online{dong:20220215:matanbuchus:cd8acc2, author = {Chuong Dong}, title = {{MATANBUCHUS: Another Loader As A Service Malware}}, date = {2022-02-15}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/}, language = {English}, urldate = {2022-02-17} } MATANBUCHUS: Another Loader As A Service Malware
Matanbuchus
2021-06-16Palo Alto Networks Unit 42Jeff White, Kyle Wilhoit
@online{white:20210616:matanbuchus:e514a4b, author = {Jeff White and Kyle Wilhoit}, title = {{Matanbuchus: Malware-as-a-Service with Demonic Intentions}}, date = {2021-06-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/}, language = {English}, urldate = {2021-06-21} } Matanbuchus: Malware-as-a-Service with Demonic Intentions
Matanbuchus BelialDemon
Yara Rules
[TLP:WHITE] win_matanbuchus_auto (20230407 | Detects win.matanbuchus.)
rule win_matanbuchus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.matanbuchus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d9401f8000000 52 e8???????? 837dec40 }
            // n = 4, score = 400
            //   8d9401f8000000       | lea                 edx, [ecx + eax + 0xf8]
            //   52                   | push                edx
            //   e8????????           |                     
            //   837dec40             | cmp                 dword ptr [ebp - 0x14], 0x40

        $sequence_1 = { 742e 8b4508 8945fc 8b4d10 894df8 8b5510 }
            // n = 6, score = 400
            //   742e                 | je                  0x30
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_2 = { 8945f0 8b4df0 3b4de4 736d 8b55f0 8b45f4 0fb74c5008 }
            // n = 7, score = 400
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   3b4de4               | cmp                 ecx, dword ptr [ebp - 0x1c]
            //   736d                 | jae                 0x6f
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   0fb74c5008           | movzx               ecx, word ptr [eax + edx*2 + 8]

        $sequence_3 = { 8b450c 50 8b4d08 51 683afd800e }
            // n = 5, score = 400
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   683afd800e           | push                0xe80fd3a

        $sequence_4 = { 52 50 e8???????? 8bc8 8b4514 8b5518 }
            // n = 6, score = 400
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]

        $sequence_5 = { 41 66894df8 0fb755fc 85d2 7502 ebb4 0fb745fc }
            // n = 7, score = 400
            //   41                   | inc                 ecx
            //   66894df8             | mov                 word ptr [ebp - 8], cx
            //   0fb755fc             | movzx               edx, word ptr [ebp - 4]
            //   85d2                 | test                edx, edx
            //   7502                 | jne                 4
            //   ebb4                 | jmp                 0xffffffb6
            //   0fb745fc             | movzx               eax, word ptr [ebp - 4]

        $sequence_6 = { 8b45ec 0fb60c10 334df8 894df8 6955f895e9d15b }
            // n = 5, score = 400
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   0fb60c10             | movzx               ecx, byte ptr [eax + edx]
            //   334df8               | xor                 ecx, dword ptr [ebp - 8]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   6955f895e9d15b       | imul                edx, dword ptr [ebp - 8], 0x5bd1e995

        $sequence_7 = { 51 8b55f0 52 6b45f828 8b4dfc 038c0534fdffff }
            // n = 6, score = 400
            //   51                   | push                ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   52                   | push                edx
            //   6b45f828             | imul                eax, dword ptr [ebp - 8], 0x28
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   038c0534fdffff       | add                 ecx, dword ptr [ebp + eax - 0x2cc]

        $sequence_8 = { 8b550c 3b55e0 750f 8b45f8 }
            // n = 4, score = 400
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   3b55e0               | cmp                 edx, dword ptr [ebp - 0x20]
            //   750f                 | jne                 0x11
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_9 = { 3b4a14 7321 0fb745fc 8b4ddc }
            // n = 4, score = 400
            //   3b4a14               | cmp                 ecx, dword ptr [edx + 0x14]
            //   7321                 | jae                 0x23
            //   0fb745fc             | movzx               eax, word ptr [ebp - 4]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]

    condition:
        7 of them and filesize < 2056192
}
Download all Yara Rules