Overview

overview

10

Static

static

Purchase O...df.exe

windows7_x64

10

Purchase O...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cd8d944df4259af50a3fa6a148cf922ac579e2bc379ca85d554d33dbe62642f3

  • Size

    319KB

  • Sample

    220520-3syptacdak

  • MD5

    24648d6dbb665a6ca685c3e92c389981

  • SHA1

    be5f5ec9954dd8f2e7f9b6e76317f20461c053b1

  • SHA256

    cd8d944df4259af50a3fa6a148cf922ac579e2bc379ca85d554d33dbe62642f3

  • SHA512

    16041ee5f146a80327c25abf45d89dd9cfc35bc24dde31f63fafa40ef8af87172739bd377163c06a1a7b4926deee10ffeaf5b02bc0d2cd4a3f67396cc9903137

Score
10/10
matiexcollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    k4kuml@yandex.com
  • Password:
    GOOD123456

Targets

    • Target

      Purchase Order.pdf.exe

    • Size

      361KB

    • MD5

      206f4433e9871eb640d993237c23933e

    • SHA1

      c915f546298de42e3f5b7c1eb674dc4d0425df04

    • SHA256

      074c065bacbb7880ce7f0d4d2ef0794398bf9152beb9a59d6d7f096b6e94e44d

    • SHA512

      49f0cb6eac3be11aea716f7038e31626804734e41cf0ef5cd62e52af6297eba4046501cf01c42f97b2d247c2111f4d962ccc9ada4e1ba52ad8cc932eab7a735a

    Score
    10/10
    matiexcollectionkeyloggerspywarestealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks