Overview

overview

10

Static

static

857d76fe35...b0.exe

windows7_x64

10

857d76fe35...b0.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    857d76fe35dffe27c19ea691fc55b1b0.exe

  • Size

    716KB

  • Sample

    201230-m8dl4wbnea

  • MD5

    857d76fe35dffe27c19ea691fc55b1b0

  • SHA1

    96059a573a3915358576cf47dda524f5e794e68c

  • SHA256

    606d71ee2279fa142144bfddb518aa863ad5b1bc0c07c03ea87f14ee5123f4f1

  • SHA512

    f9e09ba7bf1c6f7db891a62d2fee0ae25539ec0e99af2c2a6d02001813a0333c806e43eec0d018bd763e65919c44facba2469499dd7c3077e6af7e0d70b51339

Score
10/10
matiexkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    srvc13.turhost.com
  • Port:
    587
  • Username:
    info@bilgitekdagitim.com
  • Password:
    italik2015

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    srvc13.turhost.com
  • Port:
    587
  • Username:
    info@bilgitekdagitim.com
  • Password:
    italik2015

Targets

    • Target

      857d76fe35dffe27c19ea691fc55b1b0.exe

    • Size

      716KB

    • MD5

      857d76fe35dffe27c19ea691fc55b1b0

    • SHA1

      96059a573a3915358576cf47dda524f5e794e68c

    • SHA256

      606d71ee2279fa142144bfddb518aa863ad5b1bc0c07c03ea87f14ee5123f4f1

    • SHA512

      f9e09ba7bf1c6f7db891a62d2fee0ae25539ec0e99af2c2a6d02001813a0333c806e43eec0d018bd763e65919c44facba2469499dd7c3077e6af7e0d70b51339

    Score
    10/10
    matiexkeyloggerspywarestealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks