General
-
Target
nigga b nostartupp.exe
-
Size
1.5MB
-
Sample
220303-twld8adeam
-
MD5
eef35b609d37962c62bab1df4c0b3c39
-
SHA1
b009a2c43f9a959c72245e07bfbb32ceb8a2473d
-
SHA256
da92268cf4a384c5d170d5d4ef9939183328e699c0097bd02b716757a2bc0dde
-
SHA512
63c54c570a672c2baf246d49e674f55a0b9b51e69db6c7cb8ac4d26ea8b1910e1ada87dc26eaaee13cb3428b9fd06a6277f27db88cf282746a9d9cc5f4d935b5
Static task
static1
Behavioral task
behavioral1
Sample
nigga b nostartupp.exe
Resource
win7-20220223-en
Malware Config
Extracted
matiex
https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933
Targets
-
-
Target
nigga b nostartupp.exe
-
Size
1.5MB
-
MD5
eef35b609d37962c62bab1df4c0b3c39
-
SHA1
b009a2c43f9a959c72245e07bfbb32ceb8a2473d
-
SHA256
da92268cf4a384c5d170d5d4ef9939183328e699c0097bd02b716757a2bc0dde
-
SHA512
63c54c570a672c2baf246d49e674f55a0b9b51e69db6c7cb8ac4d26ea8b1910e1ada87dc26eaaee13cb3428b9fd06a6277f27db88cf282746a9d9cc5f4d935b5
-
Matiex Main Payload
-
suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-