General

  • Target

    67355213a21949a6abc12f65fb4f96f6c9ca82d60dac379984ce374b0e00ce26

  • Size

    107KB

  • Sample

    220521-mjazdsfabj

  • MD5

    663c6faedef6d2cb4b4b189789ac16ba

  • SHA1

    84770b9d0df19f22603c3ec3ee1f207596d3bd2c

  • SHA256

    67355213a21949a6abc12f65fb4f96f6c9ca82d60dac379984ce374b0e00ce26

  • SHA512

    4997684fe03af046b9ad1d1af0b14890a44ffeeca13b79dc532f184dd64bc8a5001f5efa5afa1091652042f3c96015da1d26ef877077173ae01f14662a498283

Malware Config

Targets

    • Target

      Payment receipt.exe

    • Size

      128KB

    • MD5

      497856229ec8ae87bda86469bf72ef64

    • SHA1

      844329ce2db6a3a6929719f27766474f77c7d047

    • SHA256

      b8888ca416fcb0b2fa48e131a3fbadf177ed9f26528d620ff1df804f17ea8c64

    • SHA512

      6cadd85b8a3cdb42b202ff45d198b1ef7b73d1ba4a3d612066be3ee95999d49d46b699f6d073bb143cdd8b3f4d89144c3528b3ad7f788f74abeed846945e932f

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • Modifies WinLogon for persistence

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks