General
-
Target
Quotation 7339.exe
-
Size
3.6MB
-
Sample
201228-nnsa6ackax
-
MD5
830dcd49c9b23bf35d7d8bc6caf099a8
-
SHA1
8faecce6b954965528969fc946e7650865dbd763
-
SHA256
0ee6256edbcb97ace761a15d86ce3e3adc080364f752473dd941339060a4e4b2
-
SHA512
d7f7ac208933fb7a7aa65524bc4c37c983b7b01e1b1b112f0b83749b9bbc915d1678add8fcce77279a8859c496d690a879a84d525f9e987170479566ba8d8ea5
Static task
static1
Behavioral task
behavioral1
Sample
Quotation 7339.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Quotation 7339.exe
Resource
win10v20201028
Malware Config
Extracted
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Targets
-
-
Target
Quotation 7339.exe
-
Size
3.6MB
-
MD5
830dcd49c9b23bf35d7d8bc6caf099a8
-
SHA1
8faecce6b954965528969fc946e7650865dbd763
-
SHA256
0ee6256edbcb97ace761a15d86ce3e3adc080364f752473dd941339060a4e4b2
-
SHA512
d7f7ac208933fb7a7aa65524bc4c37c983b7b01e1b1b112f0b83749b9bbc915d1678add8fcce77279a8859c496d690a879a84d525f9e987170479566ba8d8ea5
Score10/10-
Matiex Main Payload
-
Modifies WinLogon for persistence
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-