General

  • Target

    91f71bae5c1c349b2bb32f8ad9c45ce6c4a4febe778612abd5837c373cd35e13

  • Size

    263KB

  • Sample

    220521-cz2ryaegd4

  • MD5

    83b12fa90b9f6278e7740d729df13ac2

  • SHA1

    ab505542f7af867e3d530f5c1c11b22bcca09859

  • SHA256

    91f71bae5c1c349b2bb32f8ad9c45ce6c4a4febe778612abd5837c373cd35e13

  • SHA512

    c828a2aa5f6ceb17b242acffad6a5ba147d0b8ebd62c2118b1e7e38c1e96dfc437225f83d4d78e0f028b95221401b530a442b52a407fee957ba3e900f9213bef

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:
    smtp
  • Host:
    mail.salujaford.in
  • Port:
    587
  • Username:
    backup@salujaford.in
  • Password:
    saluja@#$chd

Targets

    • Target

      Payment_Advice.pdf.exe

    • Size

      406KB

    • MD5

      90ca190833ba167e67a64a3d39128564

    • SHA1

      07195c9698651033e836a909db47e5bef5254ef3

    • SHA256

      d8e06b19a570b7ac261cc5ea283844c95871a2ee5340cc7a6a2581dfdee1f36b

    • SHA512

      c4bf951da169194b5cad9b3cf4c78505efe07d92899396009c8c0699eacd64fda25f02d3e89e9fe3b01e116a1a5430422d7a3fb46eb42bdc8845e9706226aeb0

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks