← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Malspam pushes Matanbuchus malware, leads to Cobalt Strike - SANS Internet Storm Center
WHITE dekaRituraj 2022-06-20 Modified: 2022-07-20
96
IOCs
HIGH VOLUME
Security researchers have noticed a new malicious spam campaign that delivers the 'Matanbuchus' malware to drop Cobalt Strike beacons on compromised machines. Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads. Matanbuchus is a malware-as-a-service (MaaS) project first spotted in February 2021 in advertisements on the dark web promoting it as a $2,500 loader that launches executables directly into system memory.
matanbuchusbelialdemondllssha256matanbuchus dllexcelfebruarybelialpowershellmicrosoft excelwildfiremalwareteamtwittercobalt strikefile sizefile typesha256 hashfile locationhtml filehttps trafficwindows hostpe32intel
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Matanbuchus Cobalt Strike
Indicators of Compromise (96)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 257d2452d7d66a4de9e0374cadebab9b MD5 of 7643468adbc1fca4342b7458f0e1dc4ae11c0dde7c06e52fea02c1e057314def 2022-06-20
FileHash-MD5 95159f5427c976d28c86aa716799e6de MD5 of f8cc2cf36e193774f13c9c5f23ab777496dcd7ca588f4f73b45a7a5ffa96145e 2022-06-20
FileHash-SHA1 4bfbf8c48f17a7c7269dfc314e5e5bd166db857f SHA1 of f8cc2cf36e193774f13c9c5f23ab777496dcd7ca588f4f73b45a7a5ffa96145e 2022-06-20
FileHash-SHA1 75143bc1eee2aabef275c84c4be5587387e1adcf SHA1 of 7643468adbc1fca4342b7458f0e1dc4ae11c0dde7c06e52fea02c1e057314def 2022-06-20
FileHash-SHA256 19bbebd1e8ec335262e846149a893f4ce803f201e4dee7f3770d95287f9245f3 2022-06-20
FileHash-SHA256 1bc74dfb2142e4929244c6c7e10415664d4e71a5301eaf8e03cb426fab0876f8 2022-06-20
FileHash-SHA256 23fe3af756e900b5878ec685b2c80acd6f821453c03d10d23871069b23a02926 2022-06-20
FileHash-SHA256 2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4 2022-06-20
FileHash-SHA256 39ec827d24fe68d341cff2a85ef0a7375e9c313064903b92d4c32c7413d84661 2022-06-20
FileHash-SHA256 4242064d3f62b0ded528d89032517747998d2fe9888d5feaa2a3684de2370912 2022-06-20
FileHash-SHA256 4ee7350176014c7fcb8d33a79dcb1076794a2f86e9b2348f2715ca81f011e799 2022-06-20
FileHash-SHA256 4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3 2022-06-20
FileHash-SHA256 53af0319d68b0dcbf7cb37559ddfd70cce8c526614c218b5765babdc54500a49 2022-06-20
FileHash-SHA256 56ec91b8e594824a678508b694a7107d55cf9cd77a1e01a6a44993836b40ec7a 2022-06-20
FileHash-SHA256 5708dced57f30ff79e789401360300fe3d5bdcf8f988ede6539b9608dfeb58fd 2022-06-20
FileHash-SHA256 5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da 2022-06-20
FileHash-SHA256 63242d49d842cdf699b0ec04ad7bba8867080f8337d3e0ec7e768d10573142b3 2022-06-20
FileHash-SHA256 6b2428fcf9e3a555a3a29fc5582baa1eda15e555c1c85d7bef7ac981d76b6068 2022-06-20
FileHash-SHA256 6c5eb5d9a66200f0ab69ee49ba6411abf29840bce00ed0681ec8b48e24fd83da 2022-06-20
FileHash-SHA256 6d3259011b9f2abd3b0c3dc5b609ac503392a7d8dea018b78ecd39ec097b3968 2022-06-20
FileHash-SHA256 72426e6b8ea42012675c07bf9a2895bcd7eae15c82343b4b71aece29d96a7b22 2022-06-20
FileHash-SHA256 7643468adbc1fca4342b7458f0e1dc4ae11c0dde7c06e52fea02c1e057314def 2022-06-20
FileHash-SHA256 7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9 2022-06-20
FileHash-SHA256 7f0bf9496f21050fbc1a3ce5ad35dc300f595c71ad9e73ff5fc5c06b2e35a435 2022-06-20
FileHash-SHA256 82add858e5a64789b26c77e5ec4608e1f162aacbc9163920a0d4aa53eb3e9713 2022-06-20
FileHash-SHA256 a5b06297d86aee3c261df7415a4fa873f38bd5573523178000d89a8d5fd64b9a 2022-06-20
FileHash-SHA256 af534b21a0a0b0c09047e1f3d4f0cdd73fb37f03b745dbb42ffd2340a379dc42 2022-06-20
FileHash-SHA256 b9720e833fa96fec76f492295d7a46b6f524b958278d322c4ccecdc313811f11 2022-06-20
FileHash-SHA256 bd68ecd681b844232f050c21c1ea914590351ef64e889d8ef37ea63bd9e2a2ec 2022-06-20
FileHash-SHA256 c117b17bf187a3d52278eb229a1f2ac8a73967d162ad0cfc55089d304b1cc8a7 2022-06-20
FileHash-SHA256 c6e9477fd41ac9822269486c77d0f5d560ee2f558148ca95cf1de39dea034186 2022-06-20
FileHash-SHA256 cc08642ddbbb8f735a3263180164cda6cf3b73a490fc742d5c3e31130504e97c 2022-06-20
FileHash-SHA256 d0e2e92ec9d3921dc73b962354c7708f06a1a34cce67e8b67af4581adfc7aaad 2022-06-20
FileHash-SHA256 de26167160e7df91bbd992a3523ea6a82049932b947452bb58e9eed3011c769a 2022-06-20
FileHash-SHA256 e22ec74cd833a85882d5a8e76fa3b35daff0b7390bfbcd6b1ab270fd3741ceea 2022-06-20
FileHash-SHA256 e3b98dac9c4c57a046c50ce530c79855c9fe4025a9902d0f45b0fb0394409730 2022-06-20
FileHash-SHA256 ef4ea3976bad1cd68a2da2d926677c0cb04f4fc6e0b629b9a29a1c61ae984c46 2022-06-20
FileHash-SHA256 f8cc2cf36e193774f13c9c5f23ab777496dcd7ca588f4f73b45a7a5ffa96145e 2022-06-20
FileHash-SHA256 face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666 2022-06-20
URL http://144.208.127.245/cob23_443.txt 2022-06-20
URL http://144.208.127.245/cob_220_443.dll 2022-06-20
URL https://extic.icu/ 2022-06-20
URL https://extic.icu/empower/type.tiff 2022-06-20
URL https://reykh.icu/load/hunt.jpgv 2022-06-20
URL https://reykh.icu/thaw.txt 2022-06-20
URL https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/auth.aspx f8cc2cf36e193774f13c9c5f23ab777496dcd7ca588f4f73b45a7a5ffa96145e 2022-06-20
URL https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/home.aspx 2022-06-20
domain collectiontelemetrysystem.com 2022-06-20
domain extic.icu 2022-06-20
domain reykh.icu 2022-06-20
domain telemetrysystemcollection.com 2022-06-20
URL http://idea-secure-login.com 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 2022-06-20
FileHash-MD5 66dc5f1dd7d36839434ad39b4a21639b MD5 of af356a39a298f6a48f8091afc2f2fc0639338b11813f4f4bd05aba4e65d2bbe3 2022-06-20
FileHash-MD5 a6f9bec79e8364ef71912139462626d8 MD5 of 7fbaf7420943d4aa327bb82a357cd31ca92c7c83277f73a195d45bd18365cfce 2022-06-20
FileHash-SHA1 13211223e7ddd670fb95214a72bea9d109861c56 SHA1 of 7fbaf7420943d4aa327bb82a357cd31ca92c7c83277f73a195d45bd18365cfce 2022-06-20
FileHash-SHA1 fb089f06f65ffd937e44f328b54e43ed41b4190e SHA1 of af356a39a298f6a48f8091afc2f2fc0639338b11813f4f4bd05aba4e65d2bbe3 2022-06-20
FileHash-SHA256 41727fc99b9d99abd7183f6eec9052f86de076c04056e224ac366762c361afda 2022-06-20
FileHash-SHA256 7fbaf7420943d4aa327bb82a357cd31ca92c7c83277f73a195d45bd18365cfce 2022-06-20
FileHash-SHA256 af356a39a298f6a48f8091afc2f2fc0639338b11813f4f4bd05aba4e65d2bbe3 2022-06-20
URL http://eonsabode.at/kntwtopnbt/iqiw922vv5/AveBelial.xml 2022-06-20
URL http://idea-secure-login.com/3/ddg.dll 2022-06-20
domain biznesplanet-bnpparlba.com 2022-06-20
domain biznesplanet-parlbabnp.com 2022-06-20
domain biznesplanet-parlbas.com 2022-06-20
domain bos24-logowan.com 2022-06-20
domain bos24-logowanie.com 2022-06-20
domain bos24-online.com 2022-06-20
domain citationsherbe.at 2022-06-20
domain dostawapapajohns.online 2022-06-20
domain eonsabode.at 2022-06-20
domain flash-player-update.digital 2022-06-20
domain flash-update.digital 2022-06-20
domain flashplayer-update.digital 2022-06-20
domain flashupdate.digital 2022-06-20
domain flowsrectifie.at 2022-06-20
domain ibos-online24.com 2022-06-20
domain ibos24-login.com 2022-06-20
domain ibos24-online.com 2022-06-20
domain idea-secure-login.com 2022-06-20
domain login-biznesplanet.com 2022-06-20
domain login-bos24.com 2022-06-20
domain odatingactualiz.at 2022-06-20
domain onlinepapajohns.online 2022-06-20
domain papa-johns-dostawa.digital 2022-06-20
domain papa-johns-dostawa.online 2022-06-20
domain player-update.digital 2022-06-20
domain playerupdate.digital 2022-06-20
domain sso-cloud-idea.com 2022-06-20
domain upgrade-flash-player.digital 2022-06-20
domain wallet-secure.biz 2022-06-20
domain wallet-secure.me 2022-06-20
domain wallet-secure.org 2022-06-20
domain wallet-secure.site 2022-06-20
domain wallet-secure.xyz 2022-06-20
hostname biznesplanet.parlbabnp.com 2022-06-20
hostname login.wallet-secure.org 2022-06-20
References (3)
↗ https://isc.sans.edu/forums/diary/Malspam+pushes+Matanbuchus+malware+leads+to+Cobalt+Strike/28752/ ↗ https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/ ↗ https://www.bleepingcomputer.com/news/security/new-phishing-attack-infects-devices-with-cobalt-strike/