General

  • Target

    Payment Confirmation TT reference po.rar

  • Size

    478KB

  • Sample

    210927-nal6qsgff6

  • MD5

    95ee878a4f3a47f96bd0131b7b70bec0

  • SHA1

    4c4b4696d7bbfcf3375b6b4d705ceb8691bd712e

  • SHA256

    aa0503fb55d426770f3ab5f06f6f708ca768b72cfede1d477c7b5ddf97cb4589

  • SHA512

    618830372f1e98f5712b368aa03b9d3cb0a22adc2c2befcaddf1635fa73d347bd16257963e94c176838cad5a75c81186e1e9b72571da3edf4d493b665a246290

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.thts.vn
  • Port:
    25
  • Username:
    [email protected]
  • Password:
    123luongngan1989

Extracted

Family

matiex

Credentials

  • Protocol:
    smtp
  • Host:
    mail.thts.vn
  • Port:
    25
  • Username:
    [email protected]
  • Password:
    123luongngan1989

Targets

    • Target

      Payment Confirmation TT reference po.exe

    • Size

      807KB

    • MD5

      188d87dcba1c1d16b8779e05981c74c3

    • SHA1

      7503fee46ec790d3f76df6c14a0968504adfc886

    • SHA256

      402c8c6acc052173c55e48fe8228ae54db5b90be8ca3ab3d2050530b58c80b56

    • SHA512

      94066967f5bd3b9b331ffbb65bf3431421b7cebf95b940a70edbafef7def654c647b9fe04e4741d6a919b58b9ed4555e81c846e113b66461b38f0b299e17abdc

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks