matiex | aa0503fb55d426770f3ab5f06f6f708ca768b72cfede1d477c7b5ddf97cb4589

General

Target

Payment Confirmation TT reference po.exe
Size

807KB
MD5

188d87dcba1c1d16b8779e05981c74c3
SHA1

7503fee46ec790d3f76df6c14a0968504adfc886
SHA256

402c8c6acc052173c55e48fe8228ae54db5b90be8ca3ab3d2050530b58c80b56
SHA512

94066967f5bd3b9b331ffbb65bf3431421b7cebf95b940a70edbafef7def654c647b9fe04e4741d6a919b58b9ed4555e81c846e113b66461b38f0b299e17abdc

Score

10^/10

matiex keylogger spyware stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.thts.vn
Port:
25
Username:
[email protected]
Password:
123luongngan1989

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1664-66-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex
behavioral1/memory/1664-67-0x000000000046DCFE-mapping.dmp	family_matiex
behavioral1/memory/1664-68-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 checkip.dyndns.org

flow	ioc
5	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Confirmation TT reference po.exe

description	pid	process	target process
PID 2028 set thread context of 1664	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1676 1664 WerFault.exe Payment Confirmation TT reference po.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Payment Confirmation TT reference po.exeWerFault.exe

pid process

2028 Payment Confirmation TT reference po.exe
1676 WerFault.exe
1676 WerFault.exe
1676 WerFault.exe
1676 WerFault.exe
1676 WerFault.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Payment Confirmation TT reference po.exe

pid process

1664 Payment Confirmation TT reference po.exe

pid	pid_target	process	target process
1676	1664	WerFault.exe	Payment Confirmation TT reference po.exe

pid	process
2028	Payment Confirmation TT reference po.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe

pid	process
1664	Payment Confirmation TT reference po.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment Confirmation TT reference po.exePayment Confirmation TT reference po.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2028	Payment Confirmation TT reference po.exe
Token: SeDebugPrivilege	1664	Payment Confirmation TT reference po.exe
Token: SeDebugPrivilege	1676	WerFault.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Payment Confirmation TT reference po.exePayment Confirmation TT reference po.exe

C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"
2⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1260
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-66-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1664-67-0x000000000046DCFE-mapping.dmp

Download
memory/1664-68-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1664-70-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1676-71-0x0000000000000000-mapping.dmp

Download
memory/1676-72-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2028-60-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2028-62-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2028-63-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/2028-64-0x0000000005080000-0x00000000050DB000-memory.dmp

Filesize
364KB

Download
memory/2028-65-0x00000000050F0000-0x0000000005163000-memory.dmp

Filesize
460KB

Download

description	pid	process	target process
PID 2028 wrote to memory of 556	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 556	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 556	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 556	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 1664	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 1664	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 1664	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 1664	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 1664	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 1664	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 1664	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 1664	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 2028 wrote to memory of 1664	2028	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 1664 wrote to memory of 1676	1664	Payment Confirmation TT reference po.exe	WerFault.exe
PID 1664 wrote to memory of 1676	1664	Payment Confirmation TT reference po.exe	WerFault.exe
PID 1664 wrote to memory of 1676	1664	Payment Confirmation TT reference po.exe	WerFault.exe
PID 1664 wrote to memory of 1676	1664	Payment Confirmation TT reference po.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads