SOC Prime Bias: High

03 Dec 2025 19:02
newspaper icon Analysis of Rhadamanthy

Matanbuchus 3.0: Technical Analysis

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Matanbuchus 3.0: Technical Analysis
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Matanbuchus is a C++-based malicious downloader that has been distributed as a Malware‑as‑a‑Service (MaaS) offering since 2020. Version 3.0, observed in July 2025, introduces Protobuf-based serialization, ChaCha20 encryption, and multiple new anti-analysis techniques. The malware is composed of a downloader module that retrieves a primary backdoor module from its C2 server, then handles persistence, command execution, and delivery of follow-on payloads. It has been tied to ransomware incidents and to campaigns distributing the Rhadamanthys information stealer and NetSupport RAT.

Matanbuchus 3.0 Analysis

The analysis describes two components, a downloader and a main module, and walks through the initial infection chain using QuickAssist, a malicious MSI hosted on gpa-cro.com, and a side-loaded DLL posing as HRUpdate.exe. The downloader reaches out to mechiraz.com to obtain the main module, which then registers with the C2, creates a scheduled task named Update Tracker Task, and sets a per-host mutex. C2 traffic flows over HTTPS using encrypted Protobuf messages secured with ChaCha20 keys and nonces.

Mitigation

Defensive measures include blocking the malicious gpa-cro.com and mechiraz.com domains at the network edge, monitoring for creation of the Update Tracker Task and the associated HKCU registry key, and enforcing application whitelisting to stop untrusted MSI packages and side-loaded DLLs from executing. Security teams should detect characteristic ChaCha20-encrypted traffic and restrict the use of Windows utilities such as msiexec for unsigned or unverified files.

Response

When Matanbuchus activity is detected, isolate the impacted system, capture the scheduled task definition, registry entry, mutex value, and any retrieved payloads, and then remove the malicious binaries and tasks. Perform comprehensive endpoint forensics to uncover second-stage payloads and any exfiltrated data, followed by resetting exposed credentials and remediating affected Active Directory accounts.

“`mermaid graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef process fill:#ccffcc classDef operator fill:#ff9900 %% Nodes – Techniques, Tools, Processes init_remote_access[“<b>Technique</b> – <b>T1219 Remote Access Tools</b><br/>Used QuickAssist remote assistance to gain foothold.”] tool_quickassist[“<b>Tool</b> – <b>Name</b>: QuickAssist<br/><b>Description</b>: Windows remote assistance utility”] execution_user_exec[“<b>Technique</b> – <b>T1204.002 User Execution</b><br/>Malicious MSI downloaded via command line”] process_msi[“<b>Process</b> – <b>Name</b>: Malicious.msi<br/><b>Description</b>: Delivered payload”] tool_cmdshell[“<b>Tool</b> – <b>Name</b>: Windows Command Shell<br/><b>Technique ID</b>: T1059.003”] process_hrupdate[“<b>Process</b> – <b>Name</b>: HRUpdate.exe<br/><b>Description</b>: Executed by cmd”] tool_msiexec[“<b>Tool</b> – <b>Name</b>: Msiexec<br/><b>Technique ID</b>: T1218.007<br/>Used for DLL sideloading”] process_maliciousdll[“<b>Process</b> – <b>Name</b>: Malicious DLL<br/><b>Description</b>: Loaded via msiexec”] persistence_schtask[“<b>Technique</b> – <b>T1053 Scheduled Task/Job</b><br/>Creates task to run msiexec on restart”] discovery_systeminfo[“<b>Technique</b> – <b>T1082 System Information Discovery</b><br/>Collects host name, OS, etc.”] discovery_identity[“<b>Technique</b> – <b>T1589 Gather Victim Identity Information</b><br/>Collects user and domain details”] discovery_network[“<b>Technique</b> – <b>T1590.001 Domain Properties</b><br/>Collects domain and security product info”] defense_obfuscation[“<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/>Dynamic API Resolution and Junk Code”] defense_deobfuscate[“<b>Technique</b> – <b>T1140 Deobfuscate/Decode Files or Information</b>”] defense_virustime[“<b>Technique</b> – <b>T1497.003 Time Based Evasion</b>”] defense_useractivity[“<b>Technique</b> – <b>T1497.002 User Activity Based Checks</b>”] c2_webservice[“<b>Technique</b> – <b>T1102.002 Web Service Bidirectional Communication</b><br/>HTTPS with encrypted Protobuf”] c2_appprotocol[“<b>Technique</b> – <b>T1071 Application Layer Protocol</b><br/>Uses HTTP/HTTPS”] payload_powershell[“<b>Technique</b> – <b>T1059.001 PowerShell</b><br/>Executes downloaded payloads”] payload_cmdshell[“<b>Technique</b> – <b>T1059.003 Windows Command Shell</b><br/>Executes EXE DLL MSI”] process_injection[“<b>Technique</b> – <b>T1055.001 DLL Injection</b><br/>Injects via named pipes”] tool_wmi[“<b>Tool</b> – <b>Name</b>: Windows Remote Management (WMI)<br/><b>Technique ID</b>: T1021.006”] %% Class Assignments class init_remote_access action class tool_quickassist tool class execution_user_exec action class process_msi process class tool_cmdshell tool class process_hrupdate process class tool_msiexec tool class process_maliciousdll process class persistence_schtask action class discovery_systeminfo action class discovery_identity action class discovery_network action class defense_obfuscation action class defense_deobfuscate action class defense_virustime action class defense_useractivity action class c2_webservice action class c2_appprotocol action class payload_powershell action class payload_cmdshell action class process_injection action class tool_wmi tool %% Connections – Attack Flow init_remote_access –>|uses| tool_quickassist tool_quickassist –>|enables| execution_user_exec execution_user_exec –>|downloads| process_msi process_msi –>|executed by| tool_cmdshell tool_cmdshell –>|runs| process_hrupdate process_hrupdate –>|launches| tool_msiexec tool_msiexec –>|loads| process_maliciousdll process_maliciousdll –>|creates| persistence_schtask persistence_schtask –>|executes on restart| tool_msiexec persistence_schtask –>|runs| process_maliciousdll init_remote_access –>|leads to| discovery_systeminfo init_remote_access –>|leads to| discovery_identity init_remote_access –>|leads to| discovery_network process_maliciousdll –>|employs| defense_obfuscation process_maliciousdll –>|uses| defense_deobfuscate process_maliciousdll –>|applies| defense_virustime process_maliciousdll –>|applies| defense_useractivity process_maliciousdll –>|communicates with| c2_webservice c2_webservice –>|uses| c2_appprotocol c2_webservice –>|delivers| payload_powershell c2_webservice –>|delivers| payload_cmdshell payload_powershell –>|executes| process_injection payload_cmdshell –>|executes| process_injection process_injection –>|uses| tool_wmi “`

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Attack Narrative & Commands

  1. User Execution (T1204) – The attacker persuades the user to open QuickAssist.
  2. DLL Side‑Loading (T1574.001) – While QuickAssist runs, the attacker copies a malicious DLL (malicious.dll) into the same directory as HRUpdate.exe and then launches HRUpdate.exe, causing the malicious DLL to load.
  3. Scheduled‑Task Creation (T1546.010) – The attacker uses msiexec.exe -z combined with a shell command (powershell -EncodedCommand …) to create a hidden scheduled task that runs the malicious payload.
  4. Signed Binary Proxy Execution (T1218.002 / T1218.007) – The payload is launched via msiexec and optionally via WMI (wmic process call create …) to blend with legitimate admin actions.

Regression Test Script

# -------------------------------------------------
# Simulation Script – Matanbuchus Activity (TTPs)
# -------------------------------------------------
# 1. Deploy malicious DLL next to HRUpdate.exe
$malDllPath = "$env:ProgramFiles\HRUpdate\malicious.dll"
Copy-Item -Path ".\malicious.dll" -Destination $malDllPath -Force

# 2. Launch QuickAssist (legitimate)
Start-Process -FilePath "C:\Program Files\QuickAssist\QuickAssist.exe" -WindowStyle Hidden

# 3. Execute HRUpdate.exe to trigger DLL side‑loading
Start-Process -FilePath "C:\Program Files\HRUpdate\HRUpdate.exe" -ArgumentList "/silent" -Wait

# 4. Create a scheduled task using msiexec.exe -z
$taskName = "SysUpdate"
$taskCmd  = "powershell -NoProfile -WindowStyle Hidden -EncodedCommand " +
            ([Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('Start-Process notepad.exe')))
$msiCmd = "msiexec.exe -z $taskName /quiet /qn /l*v `"$env:TEMP\msi.log`" /i $taskCmd"
Start-Process -FilePath "C:\Windows\System32\msiexec.exe" -ArgumentList $msiCmd -WindowStyle Hidden

# 5. (Optional) Execute the same payload via WMI to cover T1218.007
$wmiCmd = "cmd /c $taskCmd"
wmic process call create "$wmiCmd"
# -------------------------------------------------
# End of Simulation
# -------------------------------------------------

Cleanup Commands

# Terminate any lingering QuickAssist or HRUpdate processes
Get-Process -Name "QuickAssist","HRUpdate" -ErrorAction SilentlyContinue | Stop-Process -Force

# Remove the malicious DLL
Remove-Item -Path "$env:ProgramFiles\HRUpdate\malicious.dll" -Force -ErrorAction SilentlyContinue

# Delete the scheduled task
schtasks /Delete /TN "SysUpdate" /F

# Remove temporary msiexec log
Remove-Item -Path "$env:TEMP\msi.log" -Force -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free