General

  • Target

    d6cc26090184738bc0af6fc4962ef79065c7906326f29b23761e699f8e59b872

  • Size

    468KB

  • Sample

    220520-3qmjrshch5

  • MD5

    599fa4800a705f0a95927e2d1340c73d

  • SHA1

    5d97bd35c7fb609357070af78fbf7ee392409c8a

  • SHA256

    d6cc26090184738bc0af6fc4962ef79065c7906326f29b23761e699f8e59b872

  • SHA512

    9080aa0c3683e780891faee1324f3ad35ffae1721c67c764c3c714b9b965dc7aa1885637d141c49b09625891f8dcb97fe5aef88825c6aeb6c4b08d60bd0627a5

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    infokingking88@yandex.ru
  • Password:
    kingmoney12345

Targets

    • Target

      URGENT.PO.pdf.exe

    • Size

      647KB

    • MD5

      c934ff92eb72cb2a4a7e3beebe46c07c

    • SHA1

      3cede206bd43133a07c5ef67281b922b58f28d8b

    • SHA256

      45a2796fe63b4de3b22f992d5259ca8efdf22d33670c5446a71d288d9f182ef5

    • SHA512

      714df13bd235e92285576f32133d0cb1fdb8fc0c68ea3db030984f957a5d583c44f14b89b05eafff07a9e37aecdd74768424e89f1f391c34319d0637b74ef96f

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks