{
	"id": "8c41f351-9c1d-4630-89ef-a3b720d4f24f",
	"created_at": "2026-04-06T00:16:17.932313Z",
	"updated_at": "2026-04-10T03:30:57.663907Z",
	"deleted_at": null,
	"sha1_hash": "fe3385dd2dc743636d2dbc60f42004ecbd452553",
	"title": "Malspam pushes Matanbuchus malware, leads to Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4107273,
	"plain_text": "Malspam pushes Matanbuchus malware, leads to Cobalt Strike\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 12:59:20 UTC\r\nIntroduction\r\nOn Thursday 2022-06-16, threat researchers discovered a wave of malicious spam (malspam) pushing\r\nMatanbuchus malware:\r\nhttps://twitter.com/pr0xylife/status/1537511268591992840\r\nhttps://twitter.com/executemalware/status/1537569201577156611\r\nToday's diary reviews the activity, which led to Cobalt Strike in my lab environment.\r\nShown above:  Flow chart for Matanbuchus activity on Thursday 2022-06-16.\r\nEmail and Attachment\r\nhttps://isc.sans.edu/diary/rss/28752\r\nPage 1 of 10\n\nShown above:  Screenshot from one of the emails pushing Matanbuchus on 2022-06-16.\r\nShown above:  The email attachment is a zip archive that contains an HTML file.\r\nhttps://isc.sans.edu/diary/rss/28752\r\nPage 2 of 10\n\nShown above:  The HTML file pretends to be a OneDrive page, however, the HTML file actually contains base64\r\ntext that is converted to a file for download.\r\nShown above:  Zip archive downloaded from the HTML file contains an MSI package.\r\nhttps://isc.sans.edu/diary/rss/28752\r\nPage 3 of 10\n\nShown above:  MSI extracted from the second zip archive is signed using a certificate, apparently from Digicert.\r\nRunning the MSI Package\r\nShown above:  MSI package pretends to install an Adobe font pack.\r\nhttps://isc.sans.edu/diary/rss/28752\r\nPage 4 of 10\n\nShown above:  Installation process presents a fake error message.\r\nShown above:  VBS file that generated the fake error message, and the Matanbuchus DLL saved to the infected\r\nhost in two different locations.\r\nNOTE: In the above image, the Matanbuchus file main.dll was dropped by the .msi package, while 2100.nls was\r\nretrieved through HTTPS traffic after main.dll was run.  Both have the same SHA256 hash.\r\nhttps://isc.sans.edu/diary/rss/28752\r\nPage 5 of 10\n\nShown above:  Scheduled task to keep the Matanbuchus malware persistent.\r\nTraffic From an Infected Windows Host\r\nShown above:  Traffic from an infected Windows host filtered in Wireshark (part 1 of 2).\r\nhttps://isc.sans.edu/diary/rss/28752\r\nPage 6 of 10\n\nShown above:  Traffic from an infected Windows host filtered in Wireshark (part 2 of 2).\r\nIndicators of Compromise (IOCs)\r\nSHA256 hashes for 7 unique attachments from 14 email examples on 2022-06-16:\r\n72426e6b8ea42012675c07bf9a2895bcd7eae15c82343b4b71aece29d96a7b22  SCAN-016063.zip\r\n6b2428fcf9e3a555a3a29fc5582baa1eda15e555c1c85d7bef7ac981d76b6068  SCAN-026764.zip\r\naf534b21a0a0b0c09047e1f3d4f0cdd73fb37f03b745dbb42ffd2340a379dc42  SCAN-068589.zip\r\nb9720e833fa96fec76f492295d7a46b6f524b958278d322c4ccecdc313811f11  SCAN-231112.zip\r\n23fe3af756e900b5878ec685b2c80acd6f821453c03d10d23871069b23a02926  SCAN-287004.zip\r\n53af0319d68b0dcbf7cb37559ddfd70cce8c526614c218b5765babdc54500a49  SCAN-446993.zip\r\n4242064d3f62b0ded528d89032517747998d2fe9888d5feaa2a3684de2370912  SCAN-511007.zip\r\nSHA256 hashes for HTML files extracted from the above 7 zip archives:\r\nd0e2e92ec9d3921dc73b962354c7708f06a1a34cce67e8b67af4581adfc7aaad  SCAN-016063.html\r\n56ec91b8e594824a678508b694a7107d55cf9cd77a1e01a6a44993836b40ec7a  SCAN-026764.html\r\ncc08642ddbbb8f735a3263180164cda6cf3b73a490fc742d5c3e31130504e97c  SCAN-068589.html\r\ne3b98dac9c4c57a046c50ce530c79855c9fe4025a9902d0f45b0fb0394409730  SCAN-231112.html\r\nc117b17bf187a3d52278eb229a1f2ac8a73967d162ad0cfc55089d304b1cc8a7  SCAN-287004.html\r\n82add858e5a64789b26c77e5ec4608e1f162aacbc9163920a0d4aa53eb3e9713  SCAN-446993.html\r\n5708dced57f30ff79e789401360300fe3d5bdcf8f988ede6539b9608dfeb58fd  SCAN-511007.html\r\nSHA256 hashes for zip archives generated by the above 7 HTML files:\r\nhttps://isc.sans.edu/diary/rss/28752\r\nPage 7 of 10\n\n63242d49d842cdf699b0ec04ad7bba8867080f8337d3e0ec7e768d10573142b3  SCAN-016063.zip\r\n6c5eb5d9a66200f0ab69ee49ba6411abf29840bce00ed0681ec8b48e24fd83da  SCAN-026764.zip\r\nef4ea3976bad1cd68a2da2d926677c0cb04f4fc6e0b629b9a29a1c61ae984c46  SCAN-068589.zip\r\n19bbebd1e8ec335262e846149a893f4ce803f201e4dee7f3770d95287f9245f3  SCAN-231112.zip\r\nde26167160e7df91bbd992a3523ea6a82049932b947452bb58e9eed3011c769a  SCAN-287004.zip\r\n7f0bf9496f21050fbc1a3ce5ad35dc300f595c71ad9e73ff5fc5c06b2e35a435  SCAN-446993.zip\r\n1bc74dfb2142e4929244c6c7e10415664d4e71a5301eaf8e03cb426fab0876f8  SCAN-511007.zip\r\nSHA256 hashes for .msi packages extracted from the above 7 zip archives:\r\nface46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666  SCAN-016063.pdf.msi\r\ne22ec74cd833a85882d5a8e76fa3b35daff0b7390bfbcd6b1ab270fd3741ceea  SCAN-026764.pdf.msi\r\n2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4  SCAN-068589.pdf.msi\r\n5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da  SCAN-231112.pdf.msi\r\nc6e9477fd41ac9822269486c77d0f5d560ee2f558148ca95cf1de39dea034186  SCAN-287004.pdf.msi\r\n4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3  SCAN-446993.pdf.msi\r\n7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9  SCAN-511007.pdf.msi\r\n32-bit DLL for Matanbuchus:\r\nSHA256 hash: f8cc2cf36e193774f13c9c5f23ab777496dcd7ca588f4f73b45a7a5ffa96145e\r\nFile size: 410,624 bytes\r\nFile location: hxxps://telemetrysystemcollection[.]com/m8YYdu/mCQ2U9/auth.aspx\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\AdobeFontPack\\main.dll\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\x86\\[4 ASCII characters for hex].nls\r\nFile type: PE32 executable (DLL) (console) Intel 80386, for MS Windows\r\nRun method: regsvr32.exe [filename]\r\nNote: The above DLL was dropped by the .msi package, then it was also retrieved over HTTPS from\r\ntelemetrysystemcollection[.]com. The HTTPS traffic is probably a way to update the DLL, but in this case, the\r\nnew file had the same file hash as the original.\r\nSecond file sent over HTTPS traffic from telemetrysystemcollection[.]com:\r\nSHA256 hash: 39ec827d24fe68d341cff2a85ef0a7375e9c313064903b92d4c32c7413d84661\r\nFile size: 832,128 bytes\r\nFile location: hxxps://telemetrysystemcollection[.]com/m8YYdu/mCQ2U9/home.aspx\r\nFile type: base64 text\r\nSHA256 hash: a5b06297d86aee3c261df7415a4fa873f38bd5573523178000d89a8d5fd64b9a\r\nFile size: 605,184 bytes\r\nFile description: XOR-ed binary converted from the above base64 text\r\nFile type: data\r\nhttps://isc.sans.edu/diary/rss/28752\r\nPage 8 of 10\n\nNote: This binary XOR-ed with the ASCII string: FuHZu4rQgn3eqLZ6FB48Deybj49xEUCtDTAmF\r\nSHA256 hash: bd68ecd681b844232f050c21c1ea914590351ef64e889d8ef37ea63bd9e2a2ec\r\nFile size: 605,184 bytes\r\nFile type: PE32 executable (DLL) (console) Intel 80386, for MS Windows\r\nFile description: DLL file converted from the above XOR-ed binary\r\nNote: Unknown entry point for this DLL file\r\nFirst Cobalt Strike file (ASCII text):\r\nSHA256 hash: 4ee7350176014c7fcb8d33a79dcb1076794a2f86e9b2348f2715ca81f011e799\r\nFile size: 1,668 bytes\r\nFile location: hxxp://144.208.127[.]245/cob23_443.txt\r\nFile type: ASCII text, with very long lines, with no line terminators\r\nSHA256 hash: 7643468adbc1fca4342b7458f0e1dc4ae11c0dde7c06e52fea02c1e057314def\r\nFile size: 834 bytes\r\nFile type: data\r\nFile description: above ASCII text entered into hex editor converted to data binary\r\nSecond Cobalt Strike file (32-bit DLL):\r\nSHA256 hash: 6d3259011b9f2abd3b0c3dc5b609ac503392a7d8dea018b78ecd39ec097b3968\r\nFile size: 16,384 bytes\r\nFile location: hxxp://144.208.127[.]245/cob_220_443.dll\r\nFile type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nRun method: regsvr32.exe [filename]\r\nInfection traffic:\r\nTraffic for Matanbuchus DLL:\r\n213.226.114[.]15 port 443 (HTTPS) - telemetrysystemcollection[.]com - GET\r\n/m8YYdu/mCQ2U9/auth.aspx\r\nAdditional traffic returning base64 text for XOR-encoded binary:\r\n213.226.114[.]15 port 443 (HTTPS) - telemetrysystemcollection[.]com - GET\r\n/m8YYdu/mCQ2U9/home.aspx\r\nMatanbuchus C2 traffic:\r\n213.226.114[.]15 port 48195 (HTTP) - collectiontelemetrysystem[.]com - POST\r\n/cAUtfkUDaptk/ZRSeiy/requets/index.php\r\nhttps://isc.sans.edu/diary/rss/28752\r\nPage 9 of 10\n\nTraffic caused by Matanbuchus for Cobalt Strike:\r\n144.208.127[.]245 port 80 - 144.208[.]127.245 - GET /cob23_443.txt\r\n144.208.127[.]245 port 80 - 144.208[.]127.245 - GET /cob_220_443.dll\r\nFirst Cobalt Strike C2 traffic:\r\n185.217.1[.]23 port 443 - hxxps://extic[.]icu/empower/type.tiff\r\n185.217.1[.]23 port 443 - hxxps://extic[.]icu/[unknown]\r\nSecond Cobalt Strike C2 traffic:\r\n190.123.44[.]220 port 443 - hxxps://reykh[.]icu/load/hunt.jpgv\r\n190.123.44[.]220 port 443 - hxxps://reykh[.]icu/thaw.txt\r\nNote: The above Cobalt Strike activity did not generate any DNS traffic for the associated .icu domains.\r\nFinal Words\r\n14 email examples, a packet capture (pcap) of traffic from an infected Windows host, and the associated\r\nmalware/artifacts can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/28752\r\nhttps://isc.sans.edu/diary/rss/28752\r\nPage 10 of 10\n\n  https://isc.sans.edu/diary/rss/28752  \nShown above: Screenshot from one of the emails pushing Matanbuchus on 2022-06-16.\nShown above: The email attachment is a zip archive that contains an HTML file.\n   Page 2 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/28752"
	],
	"report_names": [
		"28752"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434577,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe3385dd2dc743636d2dbc60f42004ecbd452553.pdf",
		"text": "https://archive.orkl.eu/fe3385dd2dc743636d2dbc60f42004ecbd452553.txt",
		"img": "https://archive.orkl.eu/fe3385dd2dc743636d2dbc60f42004ecbd452553.jpg"
	}
}