General
-
Target
188ea8720540579f6ec633808320ede594eb7efe136084da88795c05eaff6f0d
-
Size
1.1MB
-
Sample
220520-2qxjasahaj
-
MD5
538a481066fb860b1cff4d5d62a876ba
-
SHA1
e16284d27fd084cfa1a3692ad555742ebfb274b3
-
SHA256
188ea8720540579f6ec633808320ede594eb7efe136084da88795c05eaff6f0d
-
SHA512
259a4cddfe0bd10c1e3f4589c1172f012cac944819f6b43889e2d7516a5c7794a48e06c162fe6f9c3a7fec50dc772101dd34ec4fc63e80b5764aa6483fc1845f
Static task
static1
Behavioral task
behavioral1
Sample
Payment receipt.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment receipt.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
matiex
Protocol: smtp- Host:
SMTP.privateemail.com - Port:
587 - Username:
mentorloz@returntolz.com - Password:
Aboki@1234
Targets
-
-
Target
Payment receipt.exe
-
Size
3.2MB
-
MD5
c9cf119294179100f7f97a28eb2f2fee
-
SHA1
7e958a40fc753c1417623263fdabbbc38fd7de72
-
SHA256
0d5a1c4bba8bc36879548a2a75bbd81573f9188cc99d414a2d81f2cb7bf75218
-
SHA512
7750149807c03d1d668110eea9081d374e393bb2cdcf6a4358d92be0af3afbf0352a4cdd6cb5e7d691300b918dcbee7faaef6015580bc39032f76168d77df13c
-
Matiex Main Payload
-
Modifies WinLogon for persistence
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-