matiex | 0d299a6d58a64c85f7ecad8788c760a802dac518532447381f4fd1ad2f422068

Analysis

max time kernel
1s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 04:43

Target

28a9b97d2fe877db717765b1370bf505.exe
Size

791KB
MD5

28a9b97d2fe877db717765b1370bf505
SHA1

b3381f7e44a4449332b602c5d4a40656575e3305
SHA256

0d299a6d58a64c85f7ecad8788c760a802dac518532447381f4fd1ad2f422068
SHA512

b779ccac3a3c2b7094ff114e83e60bc07c0c0e29b720952cc704baf44599a7436999c39ac1d73f6b29ea98bd1e897fe879c27ecfe3ac5758ba3c9f931266416f
SSDEEP

12288:GEok+AOmFJbSBKiO6U8amEtwyaHgT7CTgVbPfOvWmJqXw12ZuH1th1Vul19KAzeZ:kEigvKIo0K

Score

10^/10

Family

matiex

https://api.telegram.org/bot1395392888:AAFrJovDdZICOFB0gX0eGWrAUzEKCRpv8xo/sendMessage?chat_id=1300181783

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2812-9-0x0000000005620000-0x0000000005636000-memory.dmp	family_zgrat_v1

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4124-10-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 checkip.dyndns.org
25 freegeoip.app
32 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

28a9b97d2fe877db717765b1370bf505.exe

description pid process target process

PID 2812 set thread context of 4124 2812 28a9b97d2fe877db717765b1370bf505.exe 28a9b97d2fe877db717765b1370bf505.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3184 4124 WerFault.exe 28a9b97d2fe877db717765b1370bf505.exe

description	pid	process	target process
PID 2812 set thread context of 4124	2812	28a9b97d2fe877db717765b1370bf505.exe	28a9b97d2fe877db717765b1370bf505.exe

pid	pid_target	process	target process
3184	4124	WerFault.exe	28a9b97d2fe877db717765b1370bf505.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

28a9b97d2fe877db717765b1370bf505.exe

description	pid	process	target process
PID 2812 wrote to memory of 4124	2812	28a9b97d2fe877db717765b1370bf505.exe	28a9b97d2fe877db717765b1370bf505.exe
PID 2812 wrote to memory of 4124	2812	28a9b97d2fe877db717765b1370bf505.exe	28a9b97d2fe877db717765b1370bf505.exe
PID 2812 wrote to memory of 4124	2812	28a9b97d2fe877db717765b1370bf505.exe	28a9b97d2fe877db717765b1370bf505.exe
PID 2812 wrote to memory of 4124	2812	28a9b97d2fe877db717765b1370bf505.exe	28a9b97d2fe877db717765b1370bf505.exe
PID 2812 wrote to memory of 4124	2812	28a9b97d2fe877db717765b1370bf505.exe	28a9b97d2fe877db717765b1370bf505.exe
PID 2812 wrote to memory of 4124	2812	28a9b97d2fe877db717765b1370bf505.exe	28a9b97d2fe877db717765b1370bf505.exe
PID 2812 wrote to memory of 4124	2812	28a9b97d2fe877db717765b1370bf505.exe	28a9b97d2fe877db717765b1370bf505.exe
PID 2812 wrote to memory of 4124	2812	28a9b97d2fe877db717765b1370bf505.exe	28a9b97d2fe877db717765b1370bf505.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4124 -ip 4124
1⤵
PID:1060

memory/2812-3-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/2812-4-0x0000000005720000-0x0000000005796000-memory.dmp

Filesize
472KB

Download
memory/2812-5-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/2812-6-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/2812-7-0x00000000055F0000-0x000000000560E000-memory.dmp

Filesize
120KB

Download
memory/2812-2-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/2812-8-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/2812-1-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2812-0-0x0000000000B70000-0x0000000000C3C000-memory.dmp

Filesize
816KB

Download
memory/2812-9-0x0000000005620000-0x0000000005636000-memory.dmp

Filesize
88KB

Download
memory/2812-15-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4124-16-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4124-14-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4124-13-0x0000000004FB0000-0x0000000005016000-memory.dmp

Filesize
408KB

Download
memory/4124-10-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4124-17-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download