matiex | 6d63ce63a5e3739b672cee98df82016b785931edd059568123d6dc4f0676ed48

General

Target

ADHOC RFQ-97571784.exe
Size

752KB
MD5

3b6a5dff660d98b9bf28fcd5d405f730
SHA1

ff5edd294f28d909cdc7bda80d2c9cdb217684f0
SHA256

3cb6e41efa5dff6ef7957b9ae07c6b47f2ec35bc88889424d83ca3e96bcf3922
SHA512

3b031fbbbd6921659bd8ca68e50870128cb9e938552b72386c70a7288bf6b03a655da514f033f89d8a461019f8b54deb79a4a6c162989a052bdee81b5273fcee

Score

10^/10

Family

matiex

Credentials

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/316-137-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

ADHOC RFQ-97571784.exe

description pid process target process

PID 3552 set thread context of 316 3552 ADHOC RFQ-97571784.exe ADHOC RFQ-97571784.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ADHOC RFQ-97571784.exe

description pid process

Token: SeDebugPrivilege 316 ADHOC RFQ-97571784.exe

flow	ioc
31	checkip.dyndns.org

description	pid	process	target process
PID 3552 set thread context of 316	3552	ADHOC RFQ-97571784.exe	ADHOC RFQ-97571784.exe

description	pid	process
Token: SeDebugPrivilege	316	ADHOC RFQ-97571784.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ADHOC RFQ-97571784.exe

description	pid	process	target process
PID 3552 wrote to memory of 316	3552	ADHOC RFQ-97571784.exe	ADHOC RFQ-97571784.exe
PID 3552 wrote to memory of 316	3552	ADHOC RFQ-97571784.exe	ADHOC RFQ-97571784.exe
PID 3552 wrote to memory of 316	3552	ADHOC RFQ-97571784.exe	ADHOC RFQ-97571784.exe
PID 3552 wrote to memory of 316	3552	ADHOC RFQ-97571784.exe	ADHOC RFQ-97571784.exe
PID 3552 wrote to memory of 316	3552	ADHOC RFQ-97571784.exe	ADHOC RFQ-97571784.exe
PID 3552 wrote to memory of 316	3552	ADHOC RFQ-97571784.exe	ADHOC RFQ-97571784.exe
PID 3552 wrote to memory of 316	3552	ADHOC RFQ-97571784.exe	ADHOC RFQ-97571784.exe
PID 3552 wrote to memory of 316	3552	ADHOC RFQ-97571784.exe	ADHOC RFQ-97571784.exe

C:\Users\Admin\AppData\Local\Temp\ADHOC RFQ-97571784.exe
"C:\Users\Admin\AppData\Local\Temp\ADHOC RFQ-97571784.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADHOC RFQ-97571784.exe.log
Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
memory/316-136-0x0000000000000000-mapping.dmp

Download
memory/316-137-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/316-139-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/3552-130-0x0000000000EB0000-0x0000000000F74000-memory.dmp

Filesize
784KB

Download
memory/3552-131-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/3552-132-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/3552-133-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/3552-134-0x00000000059B0000-0x00000000059BA000-memory.dmp

Filesize
40KB

Download
memory/3552-135-0x0000000005C10000-0x0000000005C66000-memory.dmp

Filesize
344KB

Download