Overview

overview

10

Static

static

Swift Copy.exe

windows7_x64

10

Swift Copy.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ee6f477b461b93163941c7c89a6f177fb7f2831b4038dbef59a1f0672d43a646

  • Size

    266KB

  • Sample

    220521-a84lsaeeej

  • MD5

    0aa2853387215022946fa4b8c18ebabd

  • SHA1

    2c9e642c02f6782e578b3964f08085f1057f15c2

  • SHA256

    ee6f477b461b93163941c7c89a6f177fb7f2831b4038dbef59a1f0672d43a646

  • SHA512

    9e148c06cd9b906ac7de56cdde685ba30cc56c10ee7c2508e7764b6155029b269c2548d29639f0dafd6b5ed144094cd0d1aa9017bb085cdad0debecb0ac6e96d

Score
10/10
matiexcollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    enugu042

Targets

    • Target

      Swift Copy.exe

    • Size

      337KB

    • MD5

      afc0f78081dad95484a2fc7f6796e9fd

    • SHA1

      04074934445e1d662102ca3a3054bf5234a3dcab

    • SHA256

      a53234e64371c8586c0021df965b5cd0b23cd0f7db970a71ad686068df0bd850

    • SHA512

      6b5920fb28044c520ce37b0316c4ce7d10c5a3aa8b800adca54da3e315c7abbba34c68d4ea729aa34f60898e6fae39b9f459ce4eec7ef19ec6db53da3225fb5c

    Score
    10/10
    matiexcollectionkeyloggerspywarestealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks