SYMBOLCOMMON_NAMEaka. SYNONYMS
win.matanbuchus (Back to overview)

Matanbuchus

There is no description at this point.

References
2022-06-23cybleCyble Research Labs
@online{labs:20220623:matanbuchus:45ed604, author = {Cyble Research Labs}, title = {{Matanbuchus Loader Resurfaces}}, date = {2022-06-23}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/}, language = {English}, urldate = {2022-08-15} } Matanbuchus Loader Resurfaces
Cobalt Strike Matanbuchus
2022-06-19OALabsSergei Frankoff
@online{frankoff:20220619:matanbuchus:0a0a9dc, author = {Sergei Frankoff}, title = {{Matanbuchus Triage Notes}}, date = {2022-06-19}, organization = {OALabs}, url = {https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html}, language = {English}, urldate = {2022-06-27} } Matanbuchus Triage Notes
Matanbuchus
2022-06-17SANS ISCBrad Duncan
@online{duncan:20220617:malspam:25c76a4, author = {Brad Duncan}, title = {{Malspam pushes Matanbuchus malware, leads to Cobalt Strike}}, date = {2022-06-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28752}, language = {English}, urldate = {2022-06-22} } Malspam pushes Matanbuchus malware, leads to Cobalt Strike
Cobalt Strike Matanbuchus
2022-05-23DCSOJohann Aydinbas, Colin Murphy
@online{aydinbas:20220523:deal:00dc16f, author = {Johann Aydinbas and Colin Murphy}, title = {{A deal with the devil: Analysis of a recent Matanbuchus sample}}, date = {2022-05-23}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a}, language = {English}, urldate = {2022-05-24} } A deal with the devil: Analysis of a recent Matanbuchus sample
Matanbuchus
2022-05-22R136a1Dominik Reichel
@online{reichel:20220522:introduction:47edade, author = {Dominik Reichel}, title = {{Introduction of a PE file extractor for various situations}}, date = {2022-05-22}, organization = {R136a1}, url = {https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/}, language = {English}, urldate = {2022-06-02} } Introduction of a PE file extractor for various situations
Cobalt Strike Matanbuchus
2022-02-150ffset BlogChuong Dong
@online{dong:20220215:matanbuchus:cd8acc2, author = {Chuong Dong}, title = {{MATANBUCHUS: Another Loader As A Service Malware}}, date = {2022-02-15}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/}, language = {English}, urldate = {2022-02-17} } MATANBUCHUS: Another Loader As A Service Malware
Matanbuchus
2021-06-16Palo Alto Networks Unit 42Jeff White, Kyle Wilhoit
@online{white:20210616:matanbuchus:e514a4b, author = {Jeff White and Kyle Wilhoit}, title = {{Matanbuchus: Malware-as-a-Service with Demonic Intentions}}, date = {2021-06-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/}, language = {English}, urldate = {2021-06-21} } Matanbuchus: Malware-as-a-Service with Demonic Intentions
Matanbuchus BelialDemon
Yara Rules
[TLP:WHITE] win_matanbuchus_auto (20220808 | Detects win.matanbuchus.)
rule win_matanbuchus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.matanbuchus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 894df4 8b55f4 8b4508 034224 8945d0 8b4df4 }
            // n = 6, score = 400
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   034224               | add                 eax, dword ptr [edx + 0x24]
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_1 = { 7208 8b45f8 3b450c 7362 }
            // n = 4, score = 400
            //   7208                 | jb                  0xa
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]
            //   7362                 | jae                 0x64

        $sequence_2 = { 0fb71441 8955f0 eb02 ebad 8b45f4 8b4dfc 03481c }
            // n = 7, score = 400
            //   0fb71441             | movzx               edx, word ptr [ecx + eax*2]
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   eb02                 | jmp                 4
            //   ebad                 | jmp                 0xffffffaf
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   03481c               | add                 ecx, dword ptr [eax + 0x1c]

        $sequence_3 = { 8b45f8 50 e8???????? 8b4d08 881c01 e9???????? 5e }
            // n = 7, score = 400
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   881c01               | mov                 byte ptr [ecx + eax], bl
            //   e9????????           |                     
            //   5e                   | pop                 esi

        $sequence_4 = { 8b4d08 034de4 894df4 8b55f4 8b4508 034224 8945d0 }
            // n = 7, score = 400
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034de4               | add                 ecx, dword ptr [ebp - 0x1c]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   034224               | add                 eax, dword ptr [edx + 0x24]
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax

        $sequence_5 = { 837de803 7402 eb44 b901000000 d1e1 8b55ec 0fb6040a }
            // n = 7, score = 400
            //   837de803             | cmp                 dword ptr [ebp - 0x18], 3
            //   7402                 | je                  4
            //   eb44                 | jmp                 0x46
            //   b901000000           | mov                 ecx, 1
            //   d1e1                 | shl                 ecx, 1
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   0fb6040a             | movzx               eax, byte ptr [edx + ecx]

        $sequence_6 = { 694df495e9d15b 894df4 6955fc95e9d15b 8955fc 8b45fc }
            // n = 5, score = 400
            //   694df495e9d15b       | imul                ecx, dword ptr [ebp - 0xc], 0x5bd1e995
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   6955fc95e9d15b       | imul                edx, dword ptr [ebp - 4], 0x5bd1e995
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_7 = { 7908 49 81c900f0ffff 41 66894df8 0fb755fc 85d2 }
            // n = 7, score = 400
            //   7908                 | jns                 0xa
            //   49                   | dec                 ecx
            //   81c900f0ffff         | or                  ecx, 0xfffff000
            //   41                   | inc                 ecx
            //   66894df8             | mov                 word ptr [ebp - 8], cx
            //   0fb755fc             | movzx               edx, word ptr [ebp - 4]
            //   85d2                 | test                edx, edx

        $sequence_8 = { 83ec10 c745fc00000000 837d0800 743f 8b4508 }
            // n = 5, score = 400
            //   83ec10               | sub                 esp, 0x10
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   743f                 | je                  0x41
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_9 = { 8b4d08 0fbe1401 33550c 69c293010001 50 b901000000 c1e100 }
            // n = 7, score = 400
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   0fbe1401             | movsx               edx, byte ptr [ecx + eax]
            //   33550c               | xor                 edx, dword ptr [ebp + 0xc]
            //   69c293010001         | imul                eax, edx, 0x1000193
            //   50                   | push                eax
            //   b901000000           | mov                 ecx, 1
            //   c1e100               | shl                 ecx, 0

    condition:
        7 of them and filesize < 2056192
}
Download all Yara Rules