General

  • Target

    tmp/vbc.exe

  • Size

    1.5MB

  • Sample

    211214-phdp1afff9

  • MD5

    8e5e31f5dd73631eddc2cb57e0f48a9a

  • SHA1

    13bd3cf85edef10be8b60c96334eda4f30eda0ba

  • SHA256

    356c38de132ad392f3155f48d11f97efbd7892a04499aea67dab5a76e85cb68d

  • SHA512

    43cf5099575d698ffbd13dc82aa76e2358629d52217cd9d019acfb52c87a29e1ef9750dee756d164787544c76cc68464b014e3f17b3236467952ef95215a94d1

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933

Targets

    • Target

      tmp/vbc.exe

    • Size

      1.5MB

    • MD5

      8e5e31f5dd73631eddc2cb57e0f48a9a

    • SHA1

      13bd3cf85edef10be8b60c96334eda4f30eda0ba

    • SHA256

      356c38de132ad392f3155f48d11f97efbd7892a04499aea67dab5a76e85cb68d

    • SHA512

      43cf5099575d698ffbd13dc82aa76e2358629d52217cd9d019acfb52c87a29e1ef9750dee756d164787544c76cc68464b014e3f17b3236467952ef95215a94d1

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks