matiex | 0e9b75e527544aa8db9880eb423b73f0edfb79995be585eb2d69c735068d082e

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8988b694b9df9186d686b9479984c675.exe
Size

908KB
MD5

8988b694b9df9186d686b9479984c675
SHA1

d54c8e34344c3b86cc883c2ffa89d020c0911755
SHA256

0e9b75e527544aa8db9880eb423b73f0edfb79995be585eb2d69c735068d082e
SHA512

72352807711c2a1799920fdc934ab3aaa1730b718447c8c70fefebb3c7243941feeb9c05f2eced48358ca114df789e97ad3be160b766e773312535de27d6e4c6
SSDEEP

12288:Y7KAD7WCSbo4N2So9pGwINUbKbSZTlWxYGNhCJh7EW58M8zOGcbq1TT6ygvhNwEc:eK+Ms9fAkvhS+c9

Score

10^/10

matiex zgrat keylogger rat stealer

Malware Config

Extracted

Family

matiex

https://api.telegram.org/bot1395392888:AAFrJovDdZICOFB0gX0eGWrAUzEKCRpv8xo/sendMessage?chat_id=1300181783

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1216-4-0x0000000000490000-0x00000000004A6000-memory.dmp	family_zgrat_v1

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 7 IoCs

resource	yara_rule
behavioral1/memory/2756-9-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/2756-10-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/2756-13-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/2756-15-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/2756-17-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/2756-20-0x0000000004FC0000-0x0000000005000000-memory.dmp	family_matiex
behavioral1/memory/2756-22-0x0000000004FC0000-0x0000000005000000-memory.dmp	family_matiex

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1216 set thread context of 2756	1216	8988b694b9df9186d686b9479984c675.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	8988b694b9df9186d686b9479984c675.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2756	1216	8988b694b9df9186d686b9479984c675.exe	28
PID 1216 wrote to memory of 2756	1216	8988b694b9df9186d686b9479984c675.exe	28
PID 1216 wrote to memory of 2756	1216	8988b694b9df9186d686b9479984c675.exe	28
PID 1216 wrote to memory of 2756	1216	8988b694b9df9186d686b9479984c675.exe	28
PID 1216 wrote to memory of 2756	1216	8988b694b9df9186d686b9479984c675.exe	28
PID 1216 wrote to memory of 2756	1216	8988b694b9df9186d686b9479984c675.exe	28
PID 1216 wrote to memory of 2756	1216	8988b694b9df9186d686b9479984c675.exe	28
PID 1216 wrote to memory of 2756	1216	8988b694b9df9186d686b9479984c675.exe	28
PID 1216 wrote to memory of 2756	1216	8988b694b9df9186d686b9479984c675.exe	28

C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe
"C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe
  "C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/1216-0-0x0000000001190000-0x000000000127A000-memory.dmp

Filesize
936KB

Download
memory/1216-2-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1216-3-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/1216-4-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/1216-18-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-10-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2756-9-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2756-7-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2756-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-13-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2756-15-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2756-17-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2756-5-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2756-19-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-20-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/2756-21-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-22-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/2756-23-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download