matiex | 53833eaa5c4c091fb3e25aa7707d1ff5ecf01aa3a69da439742186466c85042e | Triage

Submit
Reports

Overview

overview

Static

static

53833eaa5c...2e.exe

windows7_x64

53833eaa5c...2e.exe

windows10-2004_x64

Sharing

General

Target

53833eaa5c4c091fb3e25aa7707d1ff5ecf01aa3a69da439742186466c85042e
Size

562KB
Sample

220414-n495naafd3
MD5

bb3686437e0d66932c91effd44532f19
SHA1

c48e84822d9fd0ca1735de610d739252fc9266bd
SHA256

53833eaa5c4c091fb3e25aa7707d1ff5ecf01aa3a69da439742186466c85042e
SHA512

08e0b6a16d68ecf2e97a4f5d0ad5be677674d666f10d9a6911941cc34bbe1e3d34c37b842483990e0705fc9ed5790a83023fe539243913199d6b03bb583c3c06

Score

10^/10

matiex agilenet keylogger persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

53833eaa5c4c091fb3e25aa7707d1ff5ecf01aa3a69da439742186466c85042e.exe

Resource

win7-20220331-en

matiex agilenet keylogger persistence stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

53833eaa5c4c091fb3e25aa7707d1ff5ecf01aa3a69da439742186466c85042e.exe

Resource

win10v2004-20220331-en

matiex keylogger persistence stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.spamora.net
Port:
587
Username:
[email protected]
Password:
Emotion1

Targets

- Target
  
  53833eaa5c4c091fb3e25aa7707d1ff5ecf01aa3a69da439742186466c85042e
- Size
  
  562KB
- MD5
  
  bb3686437e0d66932c91effd44532f19
- SHA1
  
  c48e84822d9fd0ca1735de610d739252fc9266bd
- SHA256
  
  53833eaa5c4c091fb3e25aa7707d1ff5ecf01aa3a69da439742186466c85042e
- SHA512
  
  08e0b6a16d68ecf2e97a4f5d0ad5be677674d666f10d9a6911941cc34bbe1e3d34c37b842483990e0705fc9ed5790a83023fe539243913199d6b03bb583c3c06
Score

10^/10

matiex agilenet keylogger persistence stealer
- Matiex
  Matiex is a keylogger and infostealer first seen in July 2020.
  stealer keylogger matiex
- Matiex Main Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

matiexagilenetkeyloggerpersistencestealer

behavioral2

matiexkeyloggerpersistencestealer

© 2018-2024

Terms | Privacy