matiex | b35320c510d100799cc245b4f9db0d3826cdf6edec4edaea326cae40375bfc6c

General

Target

375a9215552b14a93246e85884e6bae2.exe
Size

497KB
MD5

375a9215552b14a93246e85884e6bae2
SHA1

0e1f99ebf26b96fa1abcdc68ebf34c408abd9934
SHA256

b35320c510d100799cc245b4f9db0d3826cdf6edec4edaea326cae40375bfc6c
SHA512

1798515296c3aaa898b6c008c5b20ee5a0b4efc1c1ff4918994bd82594696a7bc6342ca904d59f4160950843d4133c9a7726ddd6bbe74894e924fc51df473d4d

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
srvc13.turhost.com
Port:
587
Username:
info@bilgitekdagitim.com
Password:
italik2015

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
srvc13.turhost.com
Port:
587
Username:
info@bilgitekdagitim.com
Password:
italik2015

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1348-3-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral2/memory/1348-4-0x000000000047023E-mapping.dmp	family_matiex

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
10 freegeoip.app
11 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

375a9215552b14a93246e85884e6bae2.exe

description pid process target process

PID 4076 set thread context of 1348 4076 375a9215552b14a93246e85884e6bae2.exe MSBuild.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1568 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

1348 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

375a9215552b14a93246e85884e6bae2.exe

pid process

4076 375a9215552b14a93246e85884e6bae2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1348 MSBuild.exe

flow	ioc
7	checkip.dyndns.org
10	freegeoip.app
11	freegeoip.app

description	pid	process	target process
PID 4076 set thread context of 1348	4076	375a9215552b14a93246e85884e6bae2.exe	MSBuild.exe

pid	process
1568	schtasks.exe

pid	process
1348	MSBuild.exe

pid	process
4076	375a9215552b14a93246e85884e6bae2.exe

description	pid	process
Token: SeDebugPrivilege	1348	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

375a9215552b14a93246e85884e6bae2.execmd.exeMSBuild.exe

description	pid	process	target process
PID 4076 wrote to memory of 1292	4076	375a9215552b14a93246e85884e6bae2.exe	cmd.exe
PID 4076 wrote to memory of 1292	4076	375a9215552b14a93246e85884e6bae2.exe	cmd.exe
PID 4076 wrote to memory of 1292	4076	375a9215552b14a93246e85884e6bae2.exe	cmd.exe
PID 4076 wrote to memory of 1348	4076	375a9215552b14a93246e85884e6bae2.exe	MSBuild.exe
PID 4076 wrote to memory of 1348	4076	375a9215552b14a93246e85884e6bae2.exe	MSBuild.exe
PID 4076 wrote to memory of 1348	4076	375a9215552b14a93246e85884e6bae2.exe	MSBuild.exe
PID 4076 wrote to memory of 1348	4076	375a9215552b14a93246e85884e6bae2.exe	MSBuild.exe
PID 1292 wrote to memory of 1568	1292	cmd.exe	schtasks.exe
PID 1292 wrote to memory of 1568	1292	cmd.exe	schtasks.exe
PID 1292 wrote to memory of 1568	1292	cmd.exe	schtasks.exe
PID 1348 wrote to memory of 556	1348	MSBuild.exe	netsh.exe
PID 1348 wrote to memory of 556	1348	MSBuild.exe	netsh.exe
PID 1348 wrote to memory of 556	1348	MSBuild.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\375a9215552b14a93246e85884e6bae2.exe
"C:\Users\Admin\AppData\Local\Temp\375a9215552b14a93246e85884e6bae2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\8b58fad2a4354d06a96543985b862504.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\8b58fad2a4354d06a96543985b862504.xml"
3⤵
- Creates scheduled task(s)
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\375a9215552b14a93246e85884e6bae2.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8b58fad2a4354d06a96543985b862504.xml
MD5
aa2f6636e997aaa0b01fbc78b1dabe52

SHA1
fd462100fc91975dcbea8e361cf1eb8a70f6ad54

SHA256
d710b6eda22285684579d8b547e5be2f48883c4bf8db39993b00df30f9dc8723

SHA512
6540a3bbdbd3ab51679d5b32380e6c288bf6eba2777d067d40bfe65642ccafecd18028b102dfa46ac189d84282da2b6cb202a4f307587c5639f86834788f5104

Download Submit
memory/556-14-0x0000000000000000-mapping.dmp

Download
memory/1292-2-0x0000000000000000-mapping.dmp

Download
memory/1348-11-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/1348-7-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1348-4-0x000000000047023E-mapping.dmp

Download
memory/1348-12-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/1348-13-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/1348-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1348-15-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/1348-16-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/1348-17-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1568-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads