Overview

overview

10

Static

static

PO.exe

windows7_x64

10

PO.exe

windows10-2004_x64

10

new PO.exe

windows7_x64

3

new PO.exe

windows10-2004_x64

3

req.exe

windows7_x64

3

req.exe

windows10-2004_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0f888907403ebaee309e7927c72e5ebd6aca817209fd1a5a8ceaa0b028116fcd

  • Size

    886KB

  • Sample

    220520-2q1wqafgg8

  • MD5

    120e64a8a2f32751de5ac49daa0dcbd1

  • SHA1

    db9f9d90aff33e06e7e28bbee1e2fb59b48cf6c5

  • SHA256

    0f888907403ebaee309e7927c72e5ebd6aca817209fd1a5a8ceaa0b028116fcd

  • SHA512

    e3ec8dd27e1ab85cd93b7f139b2e2010646e5388b6ff69ba6de23230e879a3a431dc2fc42c9978bd7456533c59b20c68164242c0f049e27147b4b4ec9bfb4dad

Score
10/10
matiexcollectionkeyloggerpersistencespywarestealer

Malware Config

Targets

    • Target

      PO.exe

    • Size

      1.6MB

    • MD5

      e34037661a1608c722e5264797b2eecf

    • SHA1

      2c02034a6d91d9e2b21504a4bec82ec36d7bdd5d

    • SHA256

      fc1ca8b0fe8eab2d98c0f0e7ad37108f836fff77b50e393cf5dee61b7e4e6eb0

    • SHA512

      4fec9aa1afe6a414a18998dd2bb867599330baef5fce02f553823f372b7d81a4006287daefc96a8fa197fe579989ec49d1c73c5034d1c48317e3f4d70e5d44df

    Score
    10/10
    matiexcollectionkeyloggerpersistencespywarestealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Modifies WinLogon for persistence

      persistence

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      new PO.exe

    • Size

      186KB

    • MD5

      07717e9884997d9f6a94216331598047

    • SHA1

      a720716cd3f7a44d8a8e9b669e053d98a44ae7a1

    • SHA256

      e68cce62fb85b2349c45eb042fa02fc55da099883441c1cd79bac8132680a09d

    • SHA512

      18a9d8d2a219232edb9de78522bda7b93966ad22521fb463837095f0bc8b15281d91ee44fe134c2651a68ef123e096309e2fd27927ba8fe0d1317434c4cc70e5

    Score
    3/10
    behavioral3behavioral4

    • Target

      req.exe

    • Size

      194KB

    • MD5

      5c0efa906b43ad42826a5fa894fa8b95

    • SHA1

      f08ee13771c5608b7e18087b8e3ffd2076a114e8

    • SHA256

      347be975b764b78ec7860ee7c61c443fb63d6d330e7897acb8ac701cf37bb685

    • SHA512

      82bcf52a00ddbaba072064aaacd95df401675f28cc0844a15d316047cc4788ed7d6335397dccf8b5f4da78e3acd24d24a7ccb188941ecb1c854ff681c8ca8792

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks