matiex | 786a583ea35093cc588069ed3b8d4dd6dbe8e9edfe68569d3752c6da82db0de1

General

Target

INVOICE RECEIPT NO253334.exe
Size

455KB
MD5

c6b4a2eb53f687988c0427cf752d429f
SHA1

d6b3299043950047524087631f72375b68bfc36d
SHA256

786a583ea35093cc588069ed3b8d4dd6dbe8e9edfe68569d3752c6da82db0de1
SHA512

ded0daa7672ade2aabf1695c67441c0c488b8f44170ebd438105936eeac2a4d9fb7da1aef48565bb42caf6807eb4f0157a0de43ddf4731e5d3c428e8cf034dee

Score

10^/10

Family

matiex

C2

https://api.telegram.org/bot1718729558:AAFUftnJNVxfQZ7XrIUEpE1UiXHAYPc6VAQ/sendMessage?chat_id=1841930277

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1032-116-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 checkip.dyndns.org
9 freegeoip.app
10 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

INVOICE RECEIPT NO253334.exe

description pid process target process

PID 3956 set thread context of 1032 3956 INVOICE RECEIPT NO253334.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

1032 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

INVOICE RECEIPT NO253334.exe

pid process

3956 INVOICE RECEIPT NO253334.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1032 MSBuild.exe

description	pid	process	target process
PID 3956 set thread context of 1032	3956	INVOICE RECEIPT NO253334.exe	MSBuild.exe

pid	process
1032	MSBuild.exe

pid	process
3956	INVOICE RECEIPT NO253334.exe

description	pid	process
Token: SeDebugPrivilege	1032	MSBuild.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

INVOICE RECEIPT NO253334.exeMSBuild.exe

description	pid	process	target process
PID 3956 wrote to memory of 1032	3956	INVOICE RECEIPT NO253334.exe	MSBuild.exe
PID 3956 wrote to memory of 1032	3956	INVOICE RECEIPT NO253334.exe	MSBuild.exe
PID 3956 wrote to memory of 1032	3956	INVOICE RECEIPT NO253334.exe	MSBuild.exe
PID 3956 wrote to memory of 1032	3956	INVOICE RECEIPT NO253334.exe	MSBuild.exe
PID 1032 wrote to memory of 3404	1032	MSBuild.exe	netsh.exe
PID 1032 wrote to memory of 3404	1032	MSBuild.exe	netsh.exe
PID 1032 wrote to memory of 3404	1032	MSBuild.exe	netsh.exe

memory/1032-114-0x000000000047008E-mapping.dmp

Download
memory/1032-116-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1032-118-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/1032-119-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/1032-120-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/1032-121-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1032-123-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/1032-124-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/1032-125-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/3404-122-0x0000000000000000-mapping.dmp

Download
memory/3956-115-0x0000000000740000-0x0000000000742000-memory.dmp

Filesize
8KB

Download