Overview

overview

10

Static

static

52f13f6be6...be.exe

windows7_x64

10

52f13f6be6...be.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-12-2021 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52f13f6be6220affb4acc182f974dabe.exe

  • Size

    841KB

  • MD5

    52f13f6be6220affb4acc182f974dabe

  • SHA1

    275d2e03ece179e04787fd2fd4174589a4794d2d

  • SHA256

    2568251040acb82859e2944aac69d01701c95d89d3d28e30a02b5445a0946ca1

  • SHA512

    13ee949087eaf6253b2f2395c2e00bf44e303cd334971219faf87e2bfd83371df51d543d20f834cf5dbaacfc81928e3c2590501de8a816bfbfb40866413af330

Score
10/10
asyncratmatiexdefaultcollectionevasionkeyloggerratspywarestealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1915791669:AAHbaTcWupO_GTP0Ize2y4KAhHdYK5bPczo/sendMessage?chat_id=1114717555

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

52.178.132.52:6606

52.178.132.52:7707

52.178.132.52:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    true

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 5 IoCs
  • Async RAT payload 4 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52f13f6be6220affb4acc182f974dabe.exe
    "C:\Users\Admin\AppData\Local\Temp\52f13f6be6220affb4acc182f974dabe.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\BIBILZ.exe
      "C:\Users\Admin\AppData\Local\Temp\BIBILZ.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 2096
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1000
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cOSEdHWJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp144F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2452
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BIBILZ.exe
    MD5

    3909dfbc501304e780b91e47bae11c6f

    SHA1

    9ecfeb5103ab0d066678e2d537ae6a8a996f7306

    SHA256

    6584bc68270df457d3430776e5d50531a2431f891a6716ed2c9641568de0dcf1

    SHA512

    591d425d741a50d94dbfb85520db202abca81a1546728e06d757529cb3625aefe8b9c4556afcc4fdebb608c2784d4da160b8b20e19215189ef284f846e02ac1e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\BIBILZ.exe
    MD5

    3909dfbc501304e780b91e47bae11c6f

    SHA1

    9ecfeb5103ab0d066678e2d537ae6a8a996f7306

    SHA256

    6584bc68270df457d3430776e5d50531a2431f891a6716ed2c9641568de0dcf1

    SHA512

    591d425d741a50d94dbfb85520db202abca81a1546728e06d757529cb3625aefe8b9c4556afcc4fdebb608c2784d4da160b8b20e19215189ef284f846e02ac1e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp144F.tmp
    MD5

    9a8ebf4c76f53af25d7478545fdf24a6

    SHA1

    ce116183563ea8191f44a763b495d71d0b46f40b

    SHA256

    58ca13a005a8cf982683a7f6e0839368cbfe792accc98a6631630afc90f4cf6f

    SHA512

    68e45f9a3e1af200232b8ac398950e0e0fd61da70e6b0e4e26de3286615af009f76398be5e1d6a96fd8d3f2b3f2fb6d2d566cdf50739769572b54fb9a0618400

    Download Submit
  • memory/804-128-0x0000000000000000-mapping.dmp
    Download
  • memory/804-145-0x0000000004AB0000-0x0000000004FAE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/804-136-0x0000000004B50000-0x0000000004BB6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/804-135-0x0000000004FB0000-0x00000000054AE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/804-134-0x0000000004A10000-0x0000000004AAC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/804-132-0x0000000000180000-0x00000000001F6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/804-131-0x0000000000180000-0x00000000001F6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/912-139-0x000000000040C71E-mapping.dmp
    Download
  • memory/912-138-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/912-147-0x0000000000B60000-0x0000000000B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/912-146-0x00000000096E0000-0x00000000096E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/912-144-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/912-143-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/912-142-0x0000000000B60000-0x0000000000B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/912-141-0x0000000000B60000-0x0000000000B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/912-140-0x0000000000B60000-0x0000000000B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2440-122-0x0000000004E20000-0x0000000004E76000-memory.dmp
    Filesize

    344KB

    Download
  • memory/2440-121-0x0000000004B90000-0x0000000004B9A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2440-118-0x0000000005060000-0x000000000555E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2440-117-0x0000000004AB0000-0x0000000004B4C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2440-120-0x0000000004B60000-0x000000000505E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2440-115-0x00000000000C0000-0x0000000000198000-memory.dmp
    Filesize

    864KB

    Download
  • memory/2440-127-0x000000000DC10000-0x000000000DC76000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2440-119-0x0000000004C00000-0x0000000004C92000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2440-126-0x000000000AB60000-0x000000000AB72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2440-123-0x0000000005020000-0x0000000005034000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2440-124-0x000000007E120000-0x000000007E121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2440-116-0x00000000000C0000-0x0000000000198000-memory.dmp
    Filesize

    864KB

    Download
  • memory/2440-125-0x00000000083B0000-0x0000000008416000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2452-133-0x0000000000000000-mapping.dmp
    Download