matiex | aa0503fb55d426770f3ab5f06f6f708ca768b72cfede1d477c7b5ddf97cb4589

General

Target

Payment Confirmation TT reference po.exe
Size

807KB
MD5

188d87dcba1c1d16b8779e05981c74c3
SHA1

7503fee46ec790d3f76df6c14a0968504adfc886
SHA256

402c8c6acc052173c55e48fe8228ae54db5b90be8ca3ab3d2050530b58c80b56
SHA512

94066967f5bd3b9b331ffbb65bf3431421b7cebf95b940a70edbafef7def654c647b9fe04e4741d6a919b58b9ed4555e81c846e113b66461b38f0b299e17abdc

Score

10^/10

matiex keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.thts.vn
Port:
25
Username:
[email protected]
Password:
123luongngan1989

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.thts.vn
Port:
25
Username:
[email protected]
Password:
123luongngan1989

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3648-125-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex
behavioral2/memory/3648-126-0x000000000046DCFE-mapping.dmp	family_matiex
behavioral2/memory/3648-133-0x0000000005250000-0x00000000052EC000-memory.dmp	family_matiex

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 freegeoip.app
14 freegeoip.app
11 checkip.dyndns.org

flow	ioc
13	freegeoip.app
14	freegeoip.app
11	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Confirmation TT reference po.exe

description	pid	process	target process
PID 636 set thread context of 3648	636	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Payment Confirmation TT reference po.exe

pid process

3648 Payment Confirmation TT reference po.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Payment Confirmation TT reference po.exe

pid process

3648 Payment Confirmation TT reference po.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Payment Confirmation TT reference po.exe

pid process

3648 Payment Confirmation TT reference po.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Payment Confirmation TT reference po.exe

description pid process

Token: SeDebugPrivilege 3648 Payment Confirmation TT reference po.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Payment Confirmation TT reference po.exe

pid process

3648 Payment Confirmation TT reference po.exe

pid	process
3648	Payment Confirmation TT reference po.exe

pid	process
3648	Payment Confirmation TT reference po.exe

pid	process
3648	Payment Confirmation TT reference po.exe

description	pid	process
Token: SeDebugPrivilege	3648	Payment Confirmation TT reference po.exe

pid	process
3648	Payment Confirmation TT reference po.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Payment Confirmation TT reference po.exe

description	pid	process	target process
PID 636 wrote to memory of 3648	636	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 636 wrote to memory of 3648	636	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 636 wrote to memory of 3648	636	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 636 wrote to memory of 3648	636	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 636 wrote to memory of 3648	636	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 636 wrote to memory of 3648	636	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 636 wrote to memory of 3648	636	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe
PID 636 wrote to memory of 3648	636	Payment Confirmation TT reference po.exe	Payment Confirmation TT reference po.exe

C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Confirmation TT reference po.exe.log
MD5
6521ad4e3d4f1d043ebbd5765b69e211

SHA1
4bf0fff43dc33bd2c91a470b25827432dff92d8b

SHA256
5f8b317795f3079b968a3c2d0f722cba21ae79a1373b484781e3f95aed22afd6

SHA512
389d1fee037e437e0f1c5e90772edf93be774f435061ba18543d34b7753239dd9ce828f6627ba43cfad690c8c84263e86d1f88e94cbff3615fa58f359178a74d

Download Submit
memory/636-119-0x0000000005970000-0x0000000005E6E000-memory.dmp

Filesize
5.0MB

Download
memory/636-124-0x0000000009480000-0x00000000094F3000-memory.dmp

Filesize
460KB

Download
memory/636-118-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/636-114-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/636-120-0x0000000008F30000-0x0000000008F31000-memory.dmp

Filesize
4KB

Download
memory/636-121-0x0000000005CD0000-0x0000000005CD7000-memory.dmp

Filesize
28KB

Download
memory/636-117-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/636-123-0x0000000009420000-0x000000000947B000-memory.dmp

Filesize
364KB

Download
memory/636-122-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/636-116-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/3648-126-0x000000000046DCFE-mapping.dmp

Download
memory/3648-125-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3648-132-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3648-133-0x0000000005250000-0x00000000052EC000-memory.dmp

Filesize
624KB

Download
memory/3648-135-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads