General

  • Target

    623e7e4cc3035fc745bf34c07c5fffc4258fac2e4cd2c9f7d4ba2045e24371a0

  • Size

    361KB

  • Sample

    220521-pwy8vsgah9

  • MD5

    882082f3dd2804e3d312ddd3d40d8c3e

  • SHA1

    9791b1459e264789365865168c2070599246c0bb

  • SHA256

    623e7e4cc3035fc745bf34c07c5fffc4258fac2e4cd2c9f7d4ba2045e24371a0

  • SHA512

    a6db1b26057de4cf5e2e4abbe7595c94ff0def06f8c5571ce11caf26739ecddad9ed4b5a27f5e3083821143788f4bb62eaefca7955bdc3c10535ca42742f67c2

Malware Config

Targets

    • Target

      TNT E-Invoice Cosignment Delivery Notification_pdf.exe

    • Size

      1.1MB

    • MD5

      22e5a3e8fb401981cfdb4bc0c9235e7d

    • SHA1

      5a371efcb5183f96f96082b5fefec1e05b84c21f

    • SHA256

      b0dd472a02ed67fe15e20e2faa6167d8c1e9d54c9f0abc95a255197bbf0c0264

    • SHA512

      d787f86a0ef8da1f29ea3accc3871fd3e78d9f09dccafe58cf13dbbc2a5a19cdfd22001e0417301b9401f6bea79d68c40119aba5a29db9e931ea98e2d294dba3

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • Modifies WinLogon for persistence

    • Drops startup file

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Collection

Email Collection

1
T1114

Tasks