Resubmissions

07-12-2021 12:53

211207-p4mj2ahcek 10

General

  • Target

    cff383a9c4716e6ce935e3b4132cef34

  • Size

    391KB

  • Sample

    211207-p4mj2ahcek

  • MD5

    cff383a9c4716e6ce935e3b4132cef34

  • SHA1

    95fb309753bdb273b8da6cfef6bd7af012d7d11f

  • SHA256

    32de63f0ac703c7d654d2676af0b2b3fa08dced0bc918318a9d642a696a6a91c

  • SHA512

    2dd9e08b8539b0bb27bd4a295accb8c48fc22ca34798df23058ee4bc86249b79efecf2b65cd30f71ddb3bd2bb068038163e4302b69bed7160f905897f9c5432d

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933

Targets

    • Target

      cff383a9c4716e6ce935e3b4132cef34

    • Size

      391KB

    • MD5

      cff383a9c4716e6ce935e3b4132cef34

    • SHA1

      95fb309753bdb273b8da6cfef6bd7af012d7d11f

    • SHA256

      32de63f0ac703c7d654d2676af0b2b3fa08dced0bc918318a9d642a696a6a91c

    • SHA512

      2dd9e08b8539b0bb27bd4a295accb8c48fc22ca34798df23058ee4bc86249b79efecf2b65cd30f71ddb3bd2bb068038163e4302b69bed7160f905897f9c5432d

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram

      suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks