{
	"id": "2a46dcd5-df32-439a-9739-19dcd4cbd1d4",
	"created_at": "2026-04-06T00:18:45.49227Z",
	"updated_at": "2026-04-10T03:30:57.693882Z",
	"deleted_at": null,
	"sha1_hash": "d1158b666054c2e83e625f1f575b3a104fac9c74",
	"title": "A deal with the devil: Analysis of a recent Matanbuchus sample",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1551434,
	"plain_text": "A deal with the devil: Analysis of a recent Matanbuchus sample\r\nBy DCSO CyTec Blog\r\nPublished: 2022-11-08 · Archived: 2026-04-05 16:38:41 UTC\r\nPress enter or click to view image in full size\r\nMatanbuchus is the name given to a Malware-as-a-Service sold on Russian-speaking cybercriminal forums.\r\nStarting at a rental price of $2,500, the malware consists of an obfuscated two-stage loader which has been\r\ndeployed in conjunction with Qakbot and Cobalt Strike payloads. Last year, Unit42 observed the malware used in\r\nactivity targeting a Belgian technology company and American educational institutions.\r\nSince the fall of last year, there have been few public reports about Matanbuchus, and in general, reports have\r\nfocused primarily on the first loader stage. In this report, we inspect the second stage of the loader which was\r\nbriefly mentioned in the article published by Unit42 but not analyzed in depth.\r\nThe sample analyzed here was found on VirusTotal while investigating signed binaries which appeared in a\r\nroutine code signing hunt.\r\nThis blog was authored by Johann Aydinbas and Colin Murphy\r\nAttack Chain\r\nWe start our analysis with the MSI installer package ea8b828430149f67f45f9a71ee486bc674e21da7.\r\nhttps://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nPage 1 of 10\n\nIt disguises itself as a Visual Studio installer:\r\nPress enter or click to view image in full size\r\nMSI installer pretending to be Visual Studio\r\nPress enter or click to view image in full size\r\nThe .msi file has a valid signature from “ADVANCED ACCESS SERVICES LTD” with a recent signing date:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nPage 2 of 10\n\nInstaller signed by “ADVANCED ACCESS SERVICES LTD”\r\nOn execution, it creates a directory called VisualStudioIDE in %LOCALAPPDATA% and drops 3 files:\r\nPress enter or click to view image in full size\r\nFiles dropped by installer\r\nWhile locale.nls is the actual Matanbuchus loader component, the other two files don’t seem to serve a\r\npurpose and are likely benign. DWLog.dll is a DLL signed by “Adobe Inc.”, MSTTSLoc.dll appears to be a\r\nMicrosoft Text to Speech component, but neither appears to be an active part of the attack chain.\r\nAfter dropping the files, the installer finally executes the Matanbuchus loader component via regsvr32.exe :\r\nhttps://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nPage 3 of 10\n\nPress enter or click to view image in full size\r\nInstaller calling regsvr32 to execute loader\r\nWhile the value of the argument supplied via “-i” does not matter, the loader component does check for the\r\nexistence of an argument at runtime. If omitted, the loader does not continue. This is likely to avoid execution in\r\nsandboxes which simply execute available exports one by one.\r\nObfuscation\r\nBoth Matanbuchus stages use string and API obfuscation as previously documented by 0ffset.\r\nAll used strings are stored on the stack at runtime, transferred to a static location and then decrypted using an 8\r\nbyte rolling xor for further use.\r\nAll API calls are obfuscated as well. Matanbuchus uses an FNV-1a hash to look up the desired API’s address\r\nbefore each call.\r\nFirst Stage\r\nThe first stage of Matanbuchus, locale.nls , acts as a loader for the core component. The loader component has\r\nmainly two functions:\r\nKeep itself updated\r\nFetch the 2nd stage and execute it from memory\r\nAfter execution, the loader first attempts to update itself by fetching a hardcoded URL via HTTPS.\r\nNext it tries to retrieve the core component from a different URL. The response is base64-decoded and decrypted\r\nusing a 24 byte rolling xor.\r\nGet DCSO CyTec Blog’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIf retrieval is successful, the core component is manually mapped into the same process and executed by calling\r\nits export DllRegisterServer .\r\nSecond Stage\r\nThe second stage is the core component of Matanbuchus. It is responsible for fetching and executing commands,\r\nsuch as running shell commands, executing shellcode or loading further PE files.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nPage 4 of 10\n\nDebug data contained in the core component\r\nUnlike the first stage, communication with the C2 server is done over plain HTTP on a hardcoded high port,\r\nmanually implemented using low-level network APIs such as send and recv .\r\nPress enter or click to view image in full size\r\nExample exchange\r\nServer and client exchange base64-encoded JSON objects, with the JSON values additionally being RC4-\r\nencrypted, using a hardcoded key. The JSON keys are also hardcoded per sample.\r\nPress enter or click to view image in full size\r\nDecoded example request with still encrypted values\r\nFetching tasks\r\nhttps://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nPage 5 of 10\n\nA typical sequence of fetching a task starts with Matanbuchus sending a system information packet to its C2:\r\nPress enter or click to view image in full size\r\nFully decrypted first packet\r\nWe’ve identified the following fields:\r\n| Key | Meaning |\r\n|-------|---------------------|\r\n| 3CEk | CPU info from cpuid |\r\n| 3fe11 | Amount of RAM |\r\n| 3m7x | \"User\" or \"Admin\" |\r\n| DS2x | Bitness |\r\n| Eo6 | Botnet/campaign |\r\n| Fto | Number of CPUs |\r\n| Q6X6 | Domain name |\r\n| Vz | Module path |\r\n| cBF | MAC address |\r\n| f1da | Logon server |\r\n| tW | Computer name |\r\n| wP6 | Bot version |\r\n| zkC7 | NetBIOS name |\r\n| Los | Unknown, hardcoded |\r\nThe server then responds with a task object:\r\nhttps://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nPage 6 of 10\n\nExample task object as sent by the server, decrypted\r\nThe fields are:\r\n| Key | Meaning |\r\n|-----|-----------------|\r\n| Gp | Command string |\r\n| Pk | Argument |\r\n| vM | Task identifier |\r\nAfter the client executes the given task, it communicates the status back to the server, providing the previously\r\nsupplied task identifier ( vM ) in a field named bN .\r\nPress enter or click to view image in full size\r\nClient response to a successful task, decrypted\r\nThe field NSeyDX is hardcoded into the response, its purpose is unknown.\r\nThe field Jb is used to communicate success/failure of a given task. For a successful task execution, it is set to\r\nvpes as shown above, or to indicate failure it is set to jpofxs . Both strings are also hardcoded.\r\nCommands\r\nSurprisingly, the command field Gp as issued by the C2 is in plaintext (before encryption) and quite verbose.\r\nWhile we did not receive any actual tasks during our analysis, we created a fake server to verify this finding and\r\ncan confirm that the commands work as listed below. It is unclear if this is an oversight on the developer’s part or\r\nhttps://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nPage 7 of 10\n\nintended.\r\nExcept for the 1st entry (“Vs”), which is used as a no-op command, the others are rather descriptive and provide a\r\nvariety of ways to execute additional code:\r\nVs\r\nRunning exe\r\nStarting the exe with parameters\r\nHigh start exe\r\nRunDll32 \u0026 Execute\r\nRegsvr32 \u0026 Execute\r\nRun CMD in memory\r\nRun PS in memory\r\nMemLoadDllMain || MemLoadExe\r\nRunning dll in memory #2 (DllRegisterServer)\r\nRunning dll in memory #3 (DllInstall(Install))\r\nRunning dll in memory #3 (DllInstall(Unstall))\r\nMemLoadShellCode\r\nCrypt update \u0026 Bots upgrade\r\nUninstall\r\nCommands typically receive a URL as argument Pk from where to fetch the payload. Depending on the type of\r\ncommand, payloads are either manual mapped into the process memory and executed from there or written to disk\r\nbefore execution.\r\nFor files written to disk, Matanbuchus uses the directory\r\n%PROGRAMDATA%\\%PROCESSOR_REVISION%\r\nas storage, e.g. C:\\ProgramData\\9e09\\ . File names are randomly generated with a fixed length (11–13 chars)\r\ndepending on the exact command and only consist of upper and lowercase letters, with a file extension of .nls\r\nor .exe .\r\nPress enter or click to view image in full size\r\nFile dropped by “Running exe” command\r\nhttps://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nPage 8 of 10\n\nThe command High start exe is used to run executables with elevated privileges via\r\nShellExecuteExA(verb=runas) .\r\nShellcode fetched by MemLoadShellCode is expected to be in hex string format, decoded and executed using\r\nCreateThread in the same process.\r\nTools\r\nTo aid the analysis, we’ve written a small script to decrypt base64 blobs as exchanged by Matanbuchus. You can\r\ngrab the script on our GitHub.\r\nIoCs\r\nIf you prefer MISP, you can find below IoCs in form of a MISP event on our GitHub as well.\r\nMSI Installer\r\n34839e85cb8ae781654f2f9f0529114dbf21399e02bea3c9de94f6c247807e7elocale.nls, Matanbuchus loader\r\n67a9e8599ab71865a97e75dae9be438c24d015a93e6a12fb5b450ec558528290Matanbuchus core\r\n44ddcdae080f2588b4452698b73f3a1d1d03af5b7b9a97e6ffc5ce3fa021bfc8ITW URL\r\nhttps://trainprinting[.]com/wp-content/upgrade/upgrades/docs.zipLoader update URLs\r\nhttps://azureliveapps[.]com/BNUwRuzkgS/auth.php\r\nhttps://roamingslivedb[.]com/BNUwRuzkgS/auth.phpCore component URL\r\nhttps://azure-dbupdate[.]cloud/BNUwRuzkgS/index.php\r\nhttps://azureboot[.]com/BNUwRuzkgS/index.phpC2 domains\r\nazureboot[.]com\r\nazure-dbupdate[.]cloud\r\nroamingslivedb[.]com\r\nazureliveapps[.]comHardcoded URL path in core component\r\n/vmagtc/njqeee/requets/index.phpHardcoded high port\r\n23644Hardcoded user agent\r\nWindows-Update-Agent/11.0.10011.16384 Client-Protocol/2.0\r\nMITRE ATT\u0026CK\r\nT1027 Obfuscated Files or Information\r\nT1059 Command and Scripting Interpreter\r\nT1059.001 PowerShell\r\nT1059.003 Windows Command Shell\r\nT1218.007 Msiexec\r\nT1218.010 Regsvr32\r\nT1497 Virtualization/Sandbox Evasion\r\nT1571 Non-Standard Port\r\nT1573.001 Symmetric Cryptography\r\nhttps://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nPage 9 of 10\n\nSource: https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nhttps://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a"
	],
	"report_names": [
		"a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434725,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1158b666054c2e83e625f1f575b3a104fac9c74.pdf",
		"text": "https://archive.orkl.eu/d1158b666054c2e83e625f1f575b3a104fac9c74.txt",
		"img": "https://archive.orkl.eu/d1158b666054c2e83e625f1f575b3a104fac9c74.jpg"
	}
}