matiex | c6a6df5f1efbeb60a9249cd6561f3eb8cc319de796595aa82180f6762ef6f43a

General

Target

09000000MMM090.exe
Size

461KB
MD5

086959707f8687e0764bce8b5c0c6aa3
SHA1

316f4aa555ffa7c249253e5a6dc3af68c9bd6ae8
SHA256

c6a6df5f1efbeb60a9249cd6561f3eb8cc319de796595aa82180f6762ef6f43a
SHA512

d041cf94607a803193c1ce429313c169c89f2920a908b8f4db2b70798be5cc9f2f88c6cd92de33881f9b721ba81d201f6ee2fb59fc1310e09f616bcf2bcc3a5e

Score

10^/10

Family

matiex

Credentials

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3960-2-0x0000000000170000-0x00000000001E6000-memory.dmp	family_matiex
behavioral2/memory/3960-3-0x00000000001E023E-mapping.dmp	family_matiex

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 checkip.dyndns.org
11 freegeoip.app
12 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

09000000MMM090.exe

description pid process target process

PID 576 set thread context of 3960 576 09000000MMM090.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

3960 MSBuild.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

09000000MMM090.exe

pid process

576 09000000MMM090.exe
576 09000000MMM090.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 3960 MSBuild.exe

description	pid	process	target process
PID 576 set thread context of 3960	576	09000000MMM090.exe	MSBuild.exe

pid	process
3960	MSBuild.exe

pid	process
576	09000000MMM090.exe
576	09000000MMM090.exe

description	pid	process
Token: SeDebugPrivilege	3960	MSBuild.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

09000000MMM090.exeMSBuild.exe

description	pid	process	target process
PID 576 wrote to memory of 3960	576	09000000MMM090.exe	MSBuild.exe
PID 576 wrote to memory of 3960	576	09000000MMM090.exe	MSBuild.exe
PID 576 wrote to memory of 3960	576	09000000MMM090.exe	MSBuild.exe
PID 576 wrote to memory of 3960	576	09000000MMM090.exe	MSBuild.exe
PID 3960 wrote to memory of 2900	3960	MSBuild.exe	netsh.exe
PID 3960 wrote to memory of 2900	3960	MSBuild.exe	netsh.exe
PID 3960 wrote to memory of 2900	3960	MSBuild.exe	netsh.exe

memory/2900-11-0x0000000000000000-mapping.dmp

Download
memory/3960-2-0x0000000000170000-0x00000000001E6000-memory.dmp

Filesize
472KB

Download
memory/3960-3-0x00000000001E023E-mapping.dmp

Download
memory/3960-5-0x0000000073330000-0x0000000073A1E000-memory.dmp

Filesize
6.9MB

Download
memory/3960-8-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/3960-9-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3960-10-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/3960-12-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/3960-13-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/3960-14-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download