General
-
Target
3d19bf2c34c0a658803fd2b97e5ec3290498f5f33498b5f529e66c6a3f28fff2
-
Size
1.2MB
-
Sample
220215-mszn4seaa8
-
MD5
6cfa223ff643d058218d1f12b57d26a7
-
SHA1
ad3f357f1fe4ebdea553165f9066650adae0b962
-
SHA256
3d19bf2c34c0a658803fd2b97e5ec3290498f5f33498b5f529e66c6a3f28fff2
-
SHA512
b3ccc45e1bd360c17c886ae3f4e0895709885f1d1769e15738e497efc01bc66151b488a1c6c69d03f7b80ea844dc3fee9d9f22b5ad40db5a0757738adfe3d2cb
Static task
static1
Behavioral task
behavioral1
Sample
3d19bf2c34c0a658803fd2b97e5ec3290498f5f33498b5f529e66c6a3f28fff2.exe
Resource
win7-en-20211208
Malware Config
Extracted
matiex
Protocol: ftp- Host:
ftp://ftp.minister-finance.com/ - Port:
21 - Username:
[email protected] - Password:
emma@yes
Targets
-
-
Target
3d19bf2c34c0a658803fd2b97e5ec3290498f5f33498b5f529e66c6a3f28fff2
-
Size
1.2MB
-
MD5
6cfa223ff643d058218d1f12b57d26a7
-
SHA1
ad3f357f1fe4ebdea553165f9066650adae0b962
-
SHA256
3d19bf2c34c0a658803fd2b97e5ec3290498f5f33498b5f529e66c6a3f28fff2
-
SHA512
b3ccc45e1bd360c17c886ae3f4e0895709885f1d1769e15738e497efc01bc66151b488a1c6c69d03f7b80ea844dc3fee9d9f22b5ad40db5a0757738adfe3d2cb
-
Matiex Main Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-