matiex | 9dacb6e97f39f81eee74d0779165f4a74e31f27cec1a67d52c541c52ed169d73

Target

g6yzl1NROz6FgZi.exe
Size

1.2MB
MD5

7a8fa3fe4b23a2ca9612b2b1cf096f6a
SHA1

898d020a309d30d33055978794b2131fa5a18698
SHA256

9dacb6e97f39f81eee74d0779165f4a74e31f27cec1a67d52c541c52ed169d73
SHA512

a77912743ed08c7814d6b3a7a3fea19728561f69891c862ea35957ca4886beded2ffea80342af5d9c7b45a8aa868cd8dc9edcc67b62e1b53f25d5c21be407370

Score

10^/10

Malware Config

Family

matiex

https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1652-66-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/1652-67-0x000000000047006E-mapping.dmp	family_matiex
behavioral1/memory/1652-68-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

g6yzl1NROz6FgZi.exe

description pid process target process

PID 1808 set thread context of 1652 1808 g6yzl1NROz6FgZi.exe g6yzl1NROz6FgZi.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1812 1652 WerFault.exe g6yzl1NROz6FgZi.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1812 WerFault.exe
1812 WerFault.exe
1812 WerFault.exe
1812 WerFault.exe
1812 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

g6yzl1NROz6FgZi.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1652 g6yzl1NROz6FgZi.exe
Token: SeDebugPrivilege 1812 WerFault.exe

flow	ioc
5	checkip.dyndns.org

description	pid	process	target process
PID 1808 set thread context of 1652	1808	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe

pid	pid_target	process	target process
1812	1652	WerFault.exe	g6yzl1NROz6FgZi.exe

description	pid	process
Token: SeDebugPrivilege	1652	g6yzl1NROz6FgZi.exe
Token: SeDebugPrivilege	1812	WerFault.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

g6yzl1NROz6FgZi.exeg6yzl1NROz6FgZi.exe

description	pid	process	target process
PID 1808 wrote to memory of 1652	1808	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 1808 wrote to memory of 1652	1808	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 1808 wrote to memory of 1652	1808	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 1808 wrote to memory of 1652	1808	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 1808 wrote to memory of 1652	1808	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 1808 wrote to memory of 1652	1808	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 1808 wrote to memory of 1652	1808	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 1808 wrote to memory of 1652	1808	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 1808 wrote to memory of 1652	1808	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 1652 wrote to memory of 1812	1652	g6yzl1NROz6FgZi.exe	WerFault.exe
PID 1652 wrote to memory of 1812	1652	g6yzl1NROz6FgZi.exe	WerFault.exe
PID 1652 wrote to memory of 1812	1652	g6yzl1NROz6FgZi.exe	WerFault.exe
PID 1652 wrote to memory of 1812	1652	g6yzl1NROz6FgZi.exe	WerFault.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1652-66-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1652-67-0x000000000047006E-mapping.dmp

Download
memory/1652-68-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1652-70-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/1808-60-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/1808-62-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1808-63-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1808-64-0x0000000005540000-0x00000000055C4000-memory.dmp

Filesize
528KB

Download
memory/1808-65-0x0000000005600000-0x00000000056A0000-memory.dmp

Filesize
640KB

Download
memory/1812-71-0x0000000000000000-mapping.dmp

Download
memory/1812-72-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download