matiex | 5135acb4869394c48a11cd709be73b99085c066bb7a664902e96811b7b41a837

Analysis

Target

8980000809000.exe
Size

619KB
MD5

e04d66f39776231b5b159a053a2b114a
SHA1

c9294ca3bb3401882d1af4d740726deda066e091
SHA256

fbcf45a88ba1f036c2e124ec1939b8e94ffcee01e56e736553938ff4ba5a0dee
SHA512

f965db86ca20748afaafd197ea9c14ed9ad13bad76c33b9300cb81b1db95307421ddb17048550ef118457e9dfd96d2acb93c426447c36c361bed321fbef11c28

Score

10^/10

Family

matiex

https://api.telegram.org/bot1395392888:AAFrJovDdZICOFB0gX0eGWrAUzEKCRpv8xo/sendMessage?chat_id=1300181783

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2748-132-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

8980000809000.exe

description pid process target process

PID 4172 set thread context of 2748 4172 8980000809000.exe MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8980000809000.exe

pid process

4172 8980000809000.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2748 MSBuild.exe

flow	ioc
39	checkip.dyndns.org

description	pid	process	target process
PID 4172 set thread context of 2748	4172	8980000809000.exe	MSBuild.exe

pid	process
4172	8980000809000.exe

description	pid	process
Token: SeDebugPrivilege	2748	MSBuild.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8980000809000.exe

description	pid	process	target process
PID 4172 wrote to memory of 2748	4172	8980000809000.exe	MSBuild.exe
PID 4172 wrote to memory of 2748	4172	8980000809000.exe	MSBuild.exe
PID 4172 wrote to memory of 2748	4172	8980000809000.exe	MSBuild.exe
PID 4172 wrote to memory of 2748	4172	8980000809000.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2748

memory/2748-131-0x0000000000000000-mapping.dmp

Download
memory/2748-132-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2748-133-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/2748-134-0x0000000005060000-0x00000000050C6000-memory.dmp

Filesize
408KB

Download
memory/2748-135-0x0000000006070000-0x0000000006614000-memory.dmp

Filesize
5.6MB

Download
memory/4172-130-0x0000000000B80000-0x0000000000BB2000-memory.dmp

Filesize
200KB

Download