General

  • Target

    b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443

  • Size

    487KB

  • Sample

    220415-be1hpsafe6

  • MD5

    3daaf23db69dd1bbf65d601eda68dd3e

  • SHA1

    9b4735376876302e9f06a9a4db30def3045917fe

  • SHA256

    b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443

  • SHA512

    c9cc18a3be6de8ab7bfb405410fa1ff95c3dbf0a47550efaa9aac90c53fdb39aac4681921f248c72eeaa0c4d156d45134ce79fc361fe2a226057bc96528825eb

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1428011164:AAFKIFGek20EZJPbNxOt7K2R-Cf-IiVGehs/sendMessage?chat_id=1280541017

Targets

    • Target

      b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443

    • Size

      487KB

    • MD5

      3daaf23db69dd1bbf65d601eda68dd3e

    • SHA1

      9b4735376876302e9f06a9a4db30def3045917fe

    • SHA256

      b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443

    • SHA512

      c9cc18a3be6de8ab7bfb405410fa1ff95c3dbf0a47550efaa9aac90c53fdb39aac4681921f248c72eeaa0c4d156d45134ce79fc361fe2a226057bc96528825eb

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • Meta Stealer Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks