Overview

overview

10

Static

static

ba41cfdab0...b8.exe

windows7_x64

10

ba41cfdab0...b8.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ba41cfdab066b1042c036a2afd729db8.exe

  • Size

    1.9MB

  • Sample

    211212-pclhnadear

  • MD5

    ba41cfdab066b1042c036a2afd729db8

  • SHA1

    8369841c075f35cbe718adf6a82fc1169f649678

  • SHA256

    2822e6831ea3af883164c1711d3b6ac0a59b5403b557c044f56ac590b8ef5e22

  • SHA512

    dba0fb5a990ceb2780a2c9f7b6b172f1533f5e611fbf31234729096f23c029cc7c4b5eef6bbea87e86b446ed71478a7cf81b1103a4afeffae2be2bfa63eb0058

Score
10/10
matiexcollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ijxswknmmmycxzso

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ijxswknmmmycxzso

Targets

    • Target

      ba41cfdab066b1042c036a2afd729db8.exe

    • Size

      1.9MB

    • MD5

      ba41cfdab066b1042c036a2afd729db8

    • SHA1

      8369841c075f35cbe718adf6a82fc1169f649678

    • SHA256

      2822e6831ea3af883164c1711d3b6ac0a59b5403b557c044f56ac590b8ef5e22

    • SHA512

      dba0fb5a990ceb2780a2c9f7b6b172f1533f5e611fbf31234729096f23c029cc7c4b5eef6bbea87e86b446ed71478a7cf81b1103a4afeffae2be2bfa63eb0058

    Score
    10/10
    matiexcollectionevasionkeyloggerpersistencespywarestealertrojan

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

6
T1112

Disabling Security Tools

4
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks