General
-
Target
g6yzl1NROz6FgZi.exe
-
Size
1.2MB
-
Sample
210812-ywwkwmkmzn
-
MD5
7a8fa3fe4b23a2ca9612b2b1cf096f6a
-
SHA1
898d020a309d30d33055978794b2131fa5a18698
-
SHA256
9dacb6e97f39f81eee74d0779165f4a74e31f27cec1a67d52c541c52ed169d73
-
SHA512
a77912743ed08c7814d6b3a7a3fea19728561f69891c862ea35957ca4886beded2ffea80342af5d9c7b45a8aa868cd8dc9edcc67b62e1b53f25d5c21be407370
Static task
static1
Malware Config
Extracted
matiex
https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933
Targets
-
-
Target
g6yzl1NROz6FgZi.exe
-
Size
1.2MB
-
MD5
7a8fa3fe4b23a2ca9612b2b1cf096f6a
-
SHA1
898d020a309d30d33055978794b2131fa5a18698
-
SHA256
9dacb6e97f39f81eee74d0779165f4a74e31f27cec1a67d52c541c52ed169d73
-
SHA512
a77912743ed08c7814d6b3a7a3fea19728561f69891c862ea35957ca4886beded2ffea80342af5d9c7b45a8aa868cd8dc9edcc67b62e1b53f25d5c21be407370
-
Matiex Main Payload
-
suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-