General
-
Target
b20a52eb7cff0171a3465aa4cd406d3787ec9fe04ffc1553fed9f42e3f3491f2
-
Size
370KB
-
Sample
220521-crg3kahdek
-
MD5
e8ae1055bd396e80f64063d6b74b1eba
-
SHA1
d1f02538f8290b46a63496a84e555eee1303ee1e
-
SHA256
b20a52eb7cff0171a3465aa4cd406d3787ec9fe04ffc1553fed9f42e3f3491f2
-
SHA512
2a3b7e7cbf36d11c5a17b445e80585888e172d7755c9126e3226f277d17197f78793674369d32525f96f30b520fcd103ffbd2445ae3b8dfe0ddbecb87b667e09
Static task
static1
Behavioral task
behavioral1
Sample
DHL_AWB #1008936572891_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DHL_AWB #1008936572891_pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
matiex
https://api.telegram.org/bot1328029504:AAGKFzQ1tJdWqJzQg7lW0DK-JgG0_8hFEEk/sendMessage?chat_id=1072388187
Targets
-
-
Target
DHL_AWB #1008936572891_pdf.exe
-
Size
1.5MB
-
MD5
4aef48d3cbbaaf5e04c061d9e2b7a43e
-
SHA1
beb448364273779feee179e0802ab2e4d0c320db
-
SHA256
19dd4bf0d6b8777c37e1e6959519b46a9b2755cb80c6ae95572c2e8d48991405
-
SHA512
d11a63b4488a39aa4e73e63f0b48aad7c5cb82ca647b5c5447ce7a6c5c5a53db5b426209d58c58ad336f5e887bc870b58296170ea96543b90711abd1b6252d62
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Matiex Main Payload
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-