Overview

overview

10

Static

static

52f13f6be6...be.exe

windows7_x64

10

52f13f6be6...be.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    52f13f6be6220affb4acc182f974dabe.exe

  • Size

    841KB

  • Sample

    211230-jeq82aebhk

  • MD5

    52f13f6be6220affb4acc182f974dabe

  • SHA1

    275d2e03ece179e04787fd2fd4174589a4794d2d

  • SHA256

    2568251040acb82859e2944aac69d01701c95d89d3d28e30a02b5445a0946ca1

  • SHA512

    13ee949087eaf6253b2f2395c2e00bf44e303cd334971219faf87e2bfd83371df51d543d20f834cf5dbaacfc81928e3c2590501de8a816bfbfb40866413af330

Score
10/10
asyncratmatiexdefaultcollectionevasionkeyloggerratspywarestealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1915791669:AAHbaTcWupO_GTP0Ize2y4KAhHdYK5bPczo/sendMessage?chat_id=1114717555

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

52.178.132.52:6606

52.178.132.52:7707

52.178.132.52:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    true

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Targets

    • Target

      52f13f6be6220affb4acc182f974dabe.exe

    • Size

      841KB

    • MD5

      52f13f6be6220affb4acc182f974dabe

    • SHA1

      275d2e03ece179e04787fd2fd4174589a4794d2d

    • SHA256

      2568251040acb82859e2944aac69d01701c95d89d3d28e30a02b5445a0946ca1

    • SHA512

      13ee949087eaf6253b2f2395c2e00bf44e303cd334971219faf87e2bfd83371df51d543d20f834cf5dbaacfc81928e3c2590501de8a816bfbfb40866413af330

    Score
    10/10
    asyncratmatiexdefaultcollectionevasionkeyloggerratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Async RAT payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks