{"id":227940,"date":"2024-05-06T15:56:56","date_gmt":"2024-05-06T13:56:56","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=227940"},"modified":"2026-01-09T13:50:09","modified_gmt":"2026-01-09T13:50:09","slug":"matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/","title":{"rendered":"Matanbuchus &amp; Co: Code Emulation and Cybercrime Infrastructure Discovery"},"content":{"rendered":"<p>[et_pb_section fb_built=&quot;1&quot; _builder_version=&quot;4.23.1&quot; _module_preset=&quot;default&quot; global_colors_info=&quot;{}&quot;][et_pb_row _builder_version=&quot;4.24.2&quot; _module_preset=&quot;default&quot; width=&quot;73%&quot; global_colors_info=&quot;{}&quot;][et_pb_column type=&quot;4_4&quot; _builder_version=&quot;4.23.1&quot; _module_preset=&quot;default&quot; global_colors_info=&quot;{}&quot;][et_pb_image src=&quot;https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/04\/matanbuchus_illustration.png&quot; alt=&quot;AkiRAT&quot; title_text=&quot;matanbuchus_illustration&quot; align=&quot;center&quot; _builder_version=&quot;4.24.2&quot; _module_preset=&quot;default&quot; hover_enabled=&quot;0&quot; global_colors_info=&quot;{}&quot; sticky_enabled=&quot;0&quot;][\/et_pb_image][et_pb_text _builder_version=&quot;4.24.2&quot; _module_preset=&quot;default&quot; global_colors_info=&quot;{}&quot;]<\/p>\n<h2>Key findings<\/h2>\n<p>[\/et_pb_text][et_pb_text _builder_version= \u00bb4.24.2\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n<ul>\n<li>How a pivot on the Whois of the C2 domains of Matanbuchus can be leveraged to anticipate future campaigns and wider threats.<\/li>\n<li>A seemingly Russia-based Bulletproof hosting service is currently used by impactful intrusion sets leveraging Matanbuchus and SocGholish malware.<\/li>\n<li>How the encrypted strings contained in the Matanbuchus DLL can be dynamically decrypted with emulation.<\/li>\n<li>TA577 could currently be a client of Matanbuchus, or just testing the solution.<\/li>\n<\/ul>\n<p>[\/et_pb_text][et_pb_text _builder_version= \u00bb4.24.2\u2033 _module_preset= \u00bbdefault \u00bb locked= \u00bboff \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n<h2>Introduction<\/h2>\n<p>[\/et_pb_text][et_pb_text _builder_version= \u00bb4.24.2\u2033 _module_preset= \u00bbdefault \u00bb locked= \u00bboff \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n<p style=\"text-align: justify;\">In early March, malspam campaigns were launched with the intention of deploying the Matanbuchus Loader. Intrinsec&#039;s CTI team decided to analyze these campaigns to unveil details of the attack chain which could be leveraged to anticipate further threats. As we will later describe in this report, by analyzing the infrastructure of the malware and its network communications, we were able to discover a previously unknown Autonomous System that currently hosts a wide range of other malicious activities.<\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version= \u00bb4.24.2\u2033 _module_preset= \u00bbdefault \u00bb locked= \u00bboff \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n<h2>Intrinsec&#039;s CTI services<\/h2>\n<p>[\/et_pb_text][et_pb_text _builder_version= \u00bb4.24.2\u2033 _module_preset= \u00bbdefault \u00bb locked= \u00bboff \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n<p style=\"text-align: justify;\">Organizations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.<\/p>\n<p style=\"text-align: justify;\">For this report, shared with our clients in July 2023, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data &amp; information gathered from our security monitoring services (SOC, MDR, etc.), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering &amp; pivots.<\/p>\n<p style=\"text-align: justify;\">Intrinsec also offers various services around Cyber Threat Intelligence:<\/p>\n<ul style=\"text-align: justify;\">\n<li>Risk anticipation: which can be leveraged to continuously adapt the detection &amp; response capabilities of our clients&#039; existing tools (EDR, XDR, SIEM, \u2026) through:\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>an operational feed of IOCs based on our exclusive activities.<\/strong><\/li>\n<li><strong>threat intel notes &amp; reports, TIP-compliant.<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Digital risk monitoring:\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>data leak detection &amp; remediation<\/strong><\/li>\n<li><strong>external asset security monitoring (EASM)<\/strong><\/li>\n<li><strong>brand protection<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">For more information, go to <a href=\"http:\/\/www.intrinsec.com\/en\/cyber-threat-intelligence\/\">htbqccsz.elementor.cloud\/en\/cyber-threat-intelligence\/<\/a>.<\/p>\n<p style=\"text-align: justify;\">Follow us on <a href=\"https:\/\/www.linkedin.com\/company\/intrinsec\/\">LinkedIn<\/a> and <a href=\"https:\/\/twitter.com\/Intrinsec\">X<\/a><\/p>\n<p>[\/et_pb_text][et_pb_button button_url=&quot;https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/04\/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf&quot; button_text=&quot;Full report here&quot; button_alignment=&quot;center&quot; _builder_version=&quot;4.24.2&quot; _module_preset=&quot;default&quot; custom_button=&quot;on&quot; button_border_radius=&quot;40px&quot; button_icon=&quot;\ue092||divi||400&quot; box_shadow_style=&quot;preset1&quot; locked=&quot;off&quot; global_colors_info=&quot;{}&quot;][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>","protected":false},"excerpt":{"rendered":"<p>[et_pb_section fb_built=&quot;1&quot; _builder_version=&quot;4.23.1&quot; _module_preset=&quot;default&quot; global_colors_info=&quot;{}&quot;][et_pb_row _builder_version=&quot;4.24.2&quot; _module_preset=&quot;default&quot; width=&quot;73%&quot; global_colors_info=&quot;{}&quot;][et_pb_column type=&quot;4_4&quot; _builder_version=&quot;4.23.1&quot; _module_preset=&quot;default&quot; global_colors_info=&quot;{}&quot;][et_pb_image src=&quot;https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/04\/matanbuchus_illustration.png&quot; alt=&quot;AkiRAT&quot; [\u2026]<\/p>","protected":false},"author":42,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,11],"tags":[160],"class_list":["post-227940","post","type-post","status-publish","format-standard","hentry","category-cyber-threat-intelligence","category-threat-intelligence-report","tag-cyber-threat-intelligence"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Matanbuchus &amp; Co - Cyber Threat Intelligence<\/title>\n<meta name=\"description\" content=\"Discover Matanbuchus malware secrets and its role in cybercrime infrastructure through dynamic decryption and code emulation analysis\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Matanbuchus &amp; Co: Code Emulation and Cybercrime Infrastructure Discovery\" \/>\n<meta property=\"og:description\" content=\"Discover Matanbuchus malware secrets and its role in cybercrime infrastructure through dynamic decryption and code emulation analysis\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-06T13:56:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-09T13:50:09+00:00\" \/>\n<meta name=\"author\" content=\"David Sardinha\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Sardinha\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\\\/\"},\"author\":{\"name\":\"David Sardinha\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eef66c6c32d58bdf5504aa413ee51657\"},\"headline\":\"Matanbuchus &#038; Co: Code Emulation and Cybercrime Infrastructure Discovery\",\"datePublished\":\"2024-05-06T13:56:56+00:00\",\"dateModified\":\"2026-01-09T13:50:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\\\/\"},\"wordCount\":661,\"keywords\":[\"Cyber Threat Intelligence\"],\"articleSection\":[\"Cyber Threat Intelligence\",\"Threat Intelligence Report\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\\\/\",\"name\":\"Matanbuchus & Co - Cyber Threat Intelligence\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"datePublished\":\"2024-05-06T13:56:56+00:00\",\"dateModified\":\"2026-01-09T13:50:09+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eef66c6c32d58bdf5504aa413ee51657\"},\"description\":\"Discover Matanbuchus malware secrets and its role in cybercrime infrastructure through dynamic decryption and code emulation analysis\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Matanbuchus &#038; Co: Code Emulation and Cybercrime Infrastructure Discovery\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eef66c6c32d58bdf5504aa413ee51657\",\"name\":\"David Sardinha\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g\",\"caption\":\"David Sardinha\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/david-sardinha\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Matanbuchus &amp; Co - Cyber Threat Intelligence","description":"Discover Matanbuchus malware secrets and its role in cybercrime infrastructure through dynamic decryption and code emulation analysis","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/","og_locale":"en_US","og_type":"article","og_title":"Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery","og_description":"Discover Matanbuchus malware secrets and its role in cybercrime infrastructure through dynamic decryption and code emulation analysis","og_url":"https:\/\/www.intrinsec.com\/en\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/","og_site_name":"INTRINSEC","article_published_time":"2024-05-06T13:56:56+00:00","article_modified_time":"2026-01-09T13:50:09+00:00","author":"David Sardinha","twitter_card":"summary_large_image","twitter_misc":{"Written by":"David Sardinha","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/"},"author":{"name":"David Sardinha","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eef66c6c32d58bdf5504aa413ee51657"},"headline":"Matanbuchus &#038; Co: Code Emulation and Cybercrime Infrastructure Discovery","datePublished":"2024-05-06T13:56:56+00:00","dateModified":"2026-01-09T13:50:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/"},"wordCount":661,"keywords":["Cyber Threat Intelligence"],"articleSection":["Cyber Threat Intelligence","Threat Intelligence Report"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/","url":"https:\/\/www.intrinsec.com\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/","name":"Matanbuchus &amp; Co - Cyber Threat Intelligence","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"datePublished":"2024-05-06T13:56:56+00:00","dateModified":"2026-01-09T13:50:09+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eef66c6c32d58bdf5504aa413ee51657"},"description":"Discover Matanbuchus malware secrets and its role in cybercrime infrastructure through dynamic decryption and code emulation analysis","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/matanbuchus-co-emulation-and-cybercrime-infrastructure-discovery\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Matanbuchus &#038; Co: Code Emulation and Cybercrime Infrastructure Discovery"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eef66c6c32d58bdf5504aa413ee51657","name":"David Sardinha","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g","caption":"David Sardinha"},"url":"https:\/\/www.intrinsec.com\/en\/author\/david-sardinha\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227940","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=227940"}],"version-history":[{"count":1,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227940\/revisions"}],"predecessor-version":[{"id":231209,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227940\/revisions\/231209"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=227940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=227940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=227940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}