Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 20:48
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA-9vUVHazo9RuSJpH.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
FACTURA-9vUVHazo9RuSJpH.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
FACTURA-9vUVHazo9RuSJpH.exe
-
Size
1.1MB
-
MD5
92955191ebfb02ef2f3fe33dbd6094ca
-
SHA1
2fecac06772d210574f44bfef91aeae8f0860a31
-
SHA256
c744fe5aa2ab646ac1a0583348316b13bf7ad12435edeb658aa5e0f09e494b89
-
SHA512
77d0354e0ba06d826810e50bd78898da79efe102ece81eac3fdd46cd60c57f8c9192ea805f945c1d76181d524eb859409bcc82ea7143a5d4f8a210e737540b01
Malware Config
Extracted
Family
matiex
Credentials
Protocol: smtp- Host:
serv3.devmexico.com - Port:
587 - Username:
[email protected] - Password:
3}l^pI#_4K_! - Email To:
[email protected]
Signatures
-
Matiex Main Payload 4 IoCs
resource yara_rule behavioral1/memory/1444-61-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1444-62-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1444-63-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1444-64-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1504 set thread context of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe 30 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1504 FACTURA-9vUVHazo9RuSJpH.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1504 FACTURA-9vUVHazo9RuSJpH.exe Token: SeDebugPrivilege 1444 FACTURA-9vUVHazo9RuSJpH.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1504 wrote to memory of 1552 1504 FACTURA-9vUVHazo9RuSJpH.exe 29 PID 1504 wrote to memory of 1552 1504 FACTURA-9vUVHazo9RuSJpH.exe 29 PID 1504 wrote to memory of 1552 1504 FACTURA-9vUVHazo9RuSJpH.exe 29 PID 1504 wrote to memory of 1552 1504 FACTURA-9vUVHazo9RuSJpH.exe 29 PID 1504 wrote to memory of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe 30 PID 1504 wrote to memory of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe 30 PID 1504 wrote to memory of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe 30 PID 1504 wrote to memory of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe 30 PID 1504 wrote to memory of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe 30 PID 1504 wrote to memory of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe 30 PID 1504 wrote to memory of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe 30 PID 1504 wrote to memory of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe 30 PID 1504 wrote to memory of 1444 1504 FACTURA-9vUVHazo9RuSJpH.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"2⤵PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444
-