Malware Analysis Report

2024-10-18 23:03

Sample ID 220415-be1hpsafe6
Target b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443
SHA256 b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443
Tags
matiex collection evasion keylogger spyware stealer metastealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443

Threat Level: Known bad

The file b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443 was found to be: Known bad.

Malicious Activity Summary

matiex collection evasion keylogger spyware stealer metastealer

Meta Stealer Stealer

Matiex Main Payload

Matiex

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Checks BIOS information in registry

Maps connected drives based on registry

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 01:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 01:04

Reported

2022-04-15 01:34

Platform

win7-20220414-en

Max time kernel

58s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe"

Signatures

Matiex

stealer keylogger matiex

Matiex Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1996 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Windows\SysWOW64\WerFault.exe
PID 1996 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Windows\SysWOW64\WerFault.exe
PID 1996 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Windows\SysWOW64\WerFault.exe
PID 1996 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Windows\SysWOW64\WerFault.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe

"C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe"

C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1252

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp

Files

memory/1468-54-0x0000000001120000-0x00000000011A0000-memory.dmp

memory/1468-55-0x0000000000CC0000-0x0000000000CDC000-memory.dmp

memory/1468-56-0x00000000052F0000-0x0000000005390000-memory.dmp

memory/1996-58-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1996-57-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1996-60-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1996-61-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1996-62-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1996-63-0x000000000047064E-mapping.dmp

memory/1996-65-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1996-67-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1548-68-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 01:04

Reported

2022-04-15 01:34

Platform

win10v2004-20220414-en

Max time kernel

131s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe"

Signatures

Matiex

stealer keylogger matiex

Matiex Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Meta Stealer Stealer

stealer metastealer

Looks for VirtualBox Guest Additions in registry

evasion

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1332 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1332 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1332 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1332 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1332 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1332 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 1332 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
PID 3272 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Windows\SysWOW64\netsh.exe
PID 3272 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Windows\SysWOW64\netsh.exe
PID 3272 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe

"C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe"

C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe

"{path}"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 13.69.109.130:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 188.114.96.0:443 freegeoip.app tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1332-130-0x0000000000670000-0x00000000006F0000-memory.dmp

memory/1332-131-0x0000000005560000-0x0000000005B04000-memory.dmp

memory/1332-132-0x0000000005090000-0x0000000005122000-memory.dmp

memory/1332-133-0x0000000005240000-0x000000000524A000-memory.dmp

memory/1332-134-0x0000000006140000-0x000000000666C000-memory.dmp

memory/1332-135-0x0000000001000000-0x000000000109C000-memory.dmp

memory/1332-136-0x0000000006050000-0x00000000060B6000-memory.dmp

memory/3272-137-0x0000000000000000-mapping.dmp

memory/3272-138-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe.log

MD5 ddde88120da5a6e61cf1c0d1fc3f5c99
SHA1 aef94de11f90c3e6a99478c03d24aa355a6d0e52
SHA256 353067996dbacb8d3ae38dcc754d06b92e34b8511ebe2fda8c2358bbf6b79924
SHA512 64994ad92b4751bf3d580ec683e9387d9f05fe44bcb80c343470e992ac793f94f4811ab7c4f2e7240d40d5fe49df8191b781ef994a7c30df1f80940c7b06e8bd

memory/4480-140-0x0000000000000000-mapping.dmp

memory/3272-141-0x0000000007050000-0x0000000007212000-memory.dmp

memory/3272-142-0x0000000005370000-0x0000000005914000-memory.dmp