General

  • Target

    0db83f951cd91e31097d69a68a6a9e1c801180ca161c7024b665eb2d5422c316

  • Size

    317KB

  • Sample

    220520-rprxbabagj

  • MD5

    6fea872ab5569ca220ae658a3b0b8184

  • SHA1

    a4e1f3855bee1ca715990f81df4a92df4837c1a7

  • SHA256

    0db83f951cd91e31097d69a68a6a9e1c801180ca161c7024b665eb2d5422c316

  • SHA512

    bc3be8c5101e98e15737fd897cee9b4b5e2b7b24826addd1521ce0483bd2ec2d14e2584832328b1ad1d0d48af991ed1355f1ed54b6fe4735cf317a050599e222

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:
    smtp
  • Host:
    mail.greatgoldenqlory.com
  • Port:
    587
  • Username:
    logistics@greatgoldenqlory.com
  • Password:
    chibuike12345@@@@@
  • Email To:
    info.expressgloballtd@gmail.com

Targets

    • Target

      PO.exe

    • Size

      645KB

    • MD5

      c30c5dfe0e3c434a2bee493ed9637d23

    • SHA1

      606668d85092f01507e105c28caa9db730a7b98e

    • SHA256

      a97aec67e2a556ec45ea8aa3db146d119d39b14486db55ad5b930f8295eccfae

    • SHA512

      8ba8506638c080ef37ce51e72949405c63c56c6015bf4bd440fed110de161ed746e9fd35ecbcd386f5e696117c8b6e707cc3c7b410cf3466bdd52273db321013

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks