matiex | c744fe5aa2ab646ac1a0583348316b13bf7ad12435edeb658aa5e0f09e494b89

General

Target

FACTURA-9vUVHazo9RuSJpH.exe
Size

1.1MB
MD5

92955191ebfb02ef2f3fe33dbd6094ca
SHA1

2fecac06772d210574f44bfef91aeae8f0860a31
SHA256

c744fe5aa2ab646ac1a0583348316b13bf7ad12435edeb658aa5e0f09e494b89
SHA512

77d0354e0ba06d826810e50bd78898da79efe102ece81eac3fdd46cd60c57f8c9192ea805f945c1d76181d524eb859409bcc82ea7143a5d4f8a210e737540b01

Score

10^/10

matiex keylogger spyware stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
serv3.devmexico.com
Port:
587
Username:
[email protected]
Password:
3}l^pI#_4K_!
Email To:
[email protected]

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1444-61-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex
behavioral1/memory/1444-62-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex
behavioral1/memory/1444-63-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex
behavioral1/memory/1444-64-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

FACTURA-9vUVHazo9RuSJpH.exe

description pid process target process

PID 1504 set thread context of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe FACTURA-9vUVHazo9RuSJpH.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

FACTURA-9vUVHazo9RuSJpH.exe

pid process

1504 FACTURA-9vUVHazo9RuSJpH.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

FACTURA-9vUVHazo9RuSJpH.exeFACTURA-9vUVHazo9RuSJpH.exe

description pid process

Token: SeDebugPrivilege 1504 FACTURA-9vUVHazo9RuSJpH.exe
Token: SeDebugPrivilege 1444 FACTURA-9vUVHazo9RuSJpH.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 1504 set thread context of 1444	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe

pid	process
1504	FACTURA-9vUVHazo9RuSJpH.exe

description	pid	process
Token: SeDebugPrivilege	1504	FACTURA-9vUVHazo9RuSJpH.exe
Token: SeDebugPrivilege	1444	FACTURA-9vUVHazo9RuSJpH.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

FACTURA-9vUVHazo9RuSJpH.exe

description	pid	process	target process
PID 1504 wrote to memory of 1552	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1552	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1552	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1552	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1444	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1444	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1444	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1444	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1444	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1444	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1444	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1444	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe
PID 1504 wrote to memory of 1444	1504	FACTURA-9vUVHazo9RuSJpH.exe	FACTURA-9vUVHazo9RuSJpH.exe

C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe
  "C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"
  2⤵
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe
  "C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1444-59-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1444-60-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1444-61-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1444-62-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1444-63-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1444-64-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1444-66-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/1504-54-0x0000000000B80000-0x0000000000C9A000-memory.dmp

Filesize
1.1MB

Download
memory/1504-55-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1504-56-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1504-57-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/1504-58-0x0000000005070000-0x0000000005128000-memory.dmp

Filesize
736KB

Download

Resubmissions

Analysis

Sharing