Overview

overview

10

Static

static

50208488 A...30.exe

windows7_x64

1

50208488 A...30.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220331-en
  • submitted
    14-04-2022 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50208488 AEJEA 81890010169430.exe

  • Size

    581KB

  • MD5

    1b485e01e597352e81f18d2a828edee3

  • SHA1

    09329b97c027cffbc9d34e5d49a3794b7209e246

  • SHA256

    039b571653cbd974ebb9e8c37c048d0f9c4e5302db86a7400ed7a81708cb6c8c

  • SHA512

    a124dbed4e5cc1809f9e473e2c0c84ddce944955ecb50adc8bf57f5134e0f282722a6a4ad23e62e2df333eaebe57878b0d40bae40867f24c9ec5efdb9b9ba53e

Score
10/10
matiexcollectionkeyloggerstealer

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    srvc13.turhost.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    italik2015

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
    "C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2472
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1128
        3⤵
        • Program crash
        PID:4568
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1128
        3⤵
        • Program crash
        PID:4576
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2472 -ip 2472
    1⤵
      PID:3764

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2472-125-0x0000000000000000-mapping.dmp
      Download
    • memory/2472-126-0x0000000000400000-0x0000000000472000-memory.dmp
      Filesize

      456KB

      Download
    • memory/2472-127-0x00000000054F0000-0x000000000558C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2472-128-0x0000000005B40000-0x00000000060E4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2472-129-0x0000000005590000-0x00000000055F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4568-130-0x0000000000000000-mapping.dmp
      Download
    • memory/4576-124-0x0000000000B3D000-0x0000000000B40000-memory.dmp
      Filesize

      12KB

      Download