matiex | e9295dd329dcc4a87a96772a910ba5d951f20bf5b4aad56dd2504eb10969fa88

General

Target

M09080000000.exe
Size

619KB
MD5

072c613d1f936ac409e59949503ab55e
SHA1

ed85d7ea0a061e9c971cc01ab47efad6028eef76
SHA256

90524b90bad8dd82b6b6aa41f4f98211dd5e6d0c9524e72a72e8a1e855b71689
SHA512

980517439fdcda8021053ec66a42203f9ec2f2be9e4a3490b120ed964454e74d3a0beea0e10c7f2a8bd2bda6cdbc45624efd5d317cd58fe170151436cb1e6048

Score

10^/10

matiex collection keylogger spyware stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
srvc13.turhost.com
Port:
587
Username:
info@bilgitekdagitim.com
Password:
italik2015

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4628-133-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

M09080000000.exe

description pid process target process

PID 2560 set thread context of 4628 2560 M09080000000.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3644 4628 WerFault.exe RegAsm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

M09080000000.exe

pid process

2560 M09080000000.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 4628 RegAsm.exe

flow	ioc
10	checkip.dyndns.org

description	pid	process	target process
PID 2560 set thread context of 4628	2560	M09080000000.exe	RegAsm.exe

pid	pid_target	process	target process
3644	4628	WerFault.exe	RegAsm.exe

pid	process
2560	M09080000000.exe

description	pid	process
Token: SeDebugPrivilege	4628	RegAsm.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

M09080000000.exe

description	pid	process	target process
PID 2560 wrote to memory of 4628	2560	M09080000000.exe	RegAsm.exe
PID 2560 wrote to memory of 4628	2560	M09080000000.exe	RegAsm.exe
PID 2560 wrote to memory of 4628	2560	M09080000000.exe	RegAsm.exe
PID 2560 wrote to memory of 4628	2560	M09080000000.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\M09080000000.exe
"C:\Users\Admin\AppData\Local\Temp\M09080000000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1788
3⤵
- Program crash
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4628 -ip 4628
1⤵
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2560-130-0x0000000000A50000-0x0000000000AF0000-memory.dmp

Filesize
640KB

Download
memory/2560-131-0x00000000013C0000-0x000000000146B000-memory.dmp

Filesize
684KB

Download
memory/4628-132-0x0000000000000000-mapping.dmp

Download
memory/4628-133-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4628-134-0x0000000005480000-0x000000000551C000-memory.dmp

Filesize
624KB

Download
memory/4628-135-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/4628-136-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads