General

  • Target

    SsSuaeML7312gbk.exe

  • Size

    683KB

  • Sample

    211111-t5mnmsgger

  • MD5

    b228b9a2a36d06fd91d942e464ef16bd

  • SHA1

    8a974471c6336b046f08d17d8ba4c31d7d151b9c

  • SHA256

    108f33743a4ef5a5008a666449da79ba8505820db73e7e5098cb90c2cdd0ee66

  • SHA512

    cb14152f1284087fd4206a27eea79cc4d2f568f3fbc1e1962cf64d1e5b97a4c8d4cce1925fe910dea421f401e8d5c07cf0c632405ff2e26f72873662f9a3ad09

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1962824736:AAECUA300NkJ2NuTf0cKgva_k26j1y0NNHk/sendMessage?chat_id=457082756

Targets

    • Target

      SsSuaeML7312gbk.exe

    • Size

      683KB

    • MD5

      b228b9a2a36d06fd91d942e464ef16bd

    • SHA1

      8a974471c6336b046f08d17d8ba4c31d7d151b9c

    • SHA256

      108f33743a4ef5a5008a666449da79ba8505820db73e7e5098cb90c2cdd0ee66

    • SHA512

      cb14152f1284087fd4206a27eea79cc4d2f568f3fbc1e1962cf64d1e5b97a4c8d4cce1925fe910dea421f401e8d5c07cf0c632405ff2e26f72873662f9a3ad09

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram

      suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks