General
-
Target
ba41cfdab066b1042c036a2afd729db8.exe
-
Size
1.9MB
-
Sample
211212-pclhnadear
-
MD5
ba41cfdab066b1042c036a2afd729db8
-
SHA1
8369841c075f35cbe718adf6a82fc1169f649678
-
SHA256
2822e6831ea3af883164c1711d3b6ac0a59b5403b557c044f56ac590b8ef5e22
-
SHA512
dba0fb5a990ceb2780a2c9f7b6b172f1533f5e611fbf31234729096f23c029cc7c4b5eef6bbea87e86b446ed71478a7cf81b1103a4afeffae2be2bfa63eb0058
Static task
static1
Behavioral task
behavioral1
Sample
ba41cfdab066b1042c036a2afd729db8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ba41cfdab066b1042c036a2afd729db8.exe
Resource
win10-en-20211208
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ijxswknmmmycxzso
Extracted
matiex
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ijxswknmmmycxzso
Targets
-
-
Target
ba41cfdab066b1042c036a2afd729db8.exe
-
Size
1.9MB
-
MD5
ba41cfdab066b1042c036a2afd729db8
-
SHA1
8369841c075f35cbe718adf6a82fc1169f649678
-
SHA256
2822e6831ea3af883164c1711d3b6ac0a59b5403b557c044f56ac590b8ef5e22
-
SHA512
dba0fb5a990ceb2780a2c9f7b6b172f1533f5e611fbf31234729096f23c029cc7c4b5eef6bbea87e86b446ed71478a7cf81b1103a4afeffae2be2bfa63eb0058
-
Matiex Main Payload
-
Modifies WinLogon for persistence
-
Turns off Windows Defender SpyNet reporting
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-