Resubmissions

12-08-2021 13:20

210812-s5k1bdx2tj 10

12-08-2021 13:06

210812-ywwkwmkmzn 10

12-08-2021 12:42

210812-13ygffvy9j 10

12-08-2021 12:41

210812-ph9ze8t96a 10

General

  • Target

    g6yzl1NROz6FgZi.exe

  • Size

    1.2MB

  • Sample

    210812-ywwkwmkmzn

  • MD5

    7a8fa3fe4b23a2ca9612b2b1cf096f6a

  • SHA1

    898d020a309d30d33055978794b2131fa5a18698

  • SHA256

    9dacb6e97f39f81eee74d0779165f4a74e31f27cec1a67d52c541c52ed169d73

  • SHA512

    a77912743ed08c7814d6b3a7a3fea19728561f69891c862ea35957ca4886beded2ffea80342af5d9c7b45a8aa868cd8dc9edcc67b62e1b53f25d5c21be407370

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933

Targets

    • Target

      g6yzl1NROz6FgZi.exe

    • Size

      1.2MB

    • MD5

      7a8fa3fe4b23a2ca9612b2b1cf096f6a

    • SHA1

      898d020a309d30d33055978794b2131fa5a18698

    • SHA256

      9dacb6e97f39f81eee74d0779165f4a74e31f27cec1a67d52c541c52ed169d73

    • SHA512

      a77912743ed08c7814d6b3a7a3fea19728561f69891c862ea35957ca4886beded2ffea80342af5d9c7b45a8aa868cd8dc9edcc67b62e1b53f25d5c21be407370

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram

      suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks