General
-
Target
959c997ad7beaa75558665d28c9684515da2f5d5cb69b7a5375e1acbe397dc9d
-
Size
790KB
-
Sample
220326-vmze6afcc2
-
MD5
b3f376aa63caf6b537d4b6a7308e3b7b
-
SHA1
52157f01ff1b092e9ed9982b79ca2de272233c4a
-
SHA256
959c997ad7beaa75558665d28c9684515da2f5d5cb69b7a5375e1acbe397dc9d
-
SHA512
9c01fcc4d2b50c28b8ae38aee6318176cff91d16ad2f4d60b4f67032582fbcafb594c3938a00b330290a738bb9ce63f78b8574fd511d7474357b26005c479246
Static task
static1
Behavioral task
behavioral1
Sample
959c997ad7beaa75558665d28c9684515da2f5d5cb69b7a5375e1acbe397dc9d.exe
Resource
win7-20220311-en
Malware Config
Extracted
matiex
Protocol: ftp- Host:
ftp://ftp.minister-finance.com/ - Port:
21 - Username:
[email protected] - Password:
Dakar@911
Targets
-
-
Target
959c997ad7beaa75558665d28c9684515da2f5d5cb69b7a5375e1acbe397dc9d
-
Size
790KB
-
MD5
b3f376aa63caf6b537d4b6a7308e3b7b
-
SHA1
52157f01ff1b092e9ed9982b79ca2de272233c4a
-
SHA256
959c997ad7beaa75558665d28c9684515da2f5d5cb69b7a5375e1acbe397dc9d
-
SHA512
9c01fcc4d2b50c28b8ae38aee6318176cff91d16ad2f4d60b4f67032582fbcafb594c3938a00b330290a738bb9ce63f78b8574fd511d7474357b26005c479246
-
Matiex Main Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-