General
-
Target
382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7
-
Size
418KB
-
Sample
220327-bhzqksbfb7
-
MD5
1fb9ed11df573b8d7b760c35555303f8
-
SHA1
0ff20a1f73b225c8efc056fd38bbc71b7110a666
-
SHA256
382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7
-
SHA512
7ab5dd57f8969570537e89397b8151e0f9eb3e99da73c53a403c0aa92806729a2bc7b9e35e9d669057e9a24d6bce20254dd6cc1937e545ec7db30c57c6f9af1d
Static task
static1
Behavioral task
behavioral1
Sample
382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
Resource
win7-20220331-en
Malware Config
Extracted
matiex
Protocol: ftp- Host:
ftp://ftp.diamondassetinvest.com/ - Port:
21 - Username:
[email protected] - Password:
Kilimanjaro@123
Targets
-
-
Target
382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7
-
Size
418KB
-
MD5
1fb9ed11df573b8d7b760c35555303f8
-
SHA1
0ff20a1f73b225c8efc056fd38bbc71b7110a666
-
SHA256
382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7
-
SHA512
7ab5dd57f8969570537e89397b8151e0f9eb3e99da73c53a403c0aa92806729a2bc7b9e35e9d669057e9a24d6bce20254dd6cc1937e545ec7db30c57c6f9af1d
-
Matiex Main Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-