Overview

overview

10

Static

static

3

8988b694b9...75.exe

windows7-x64

10

8988b694b9...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2024 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8988b694b9df9186d686b9479984c675.exe

  • Size

    908KB

  • MD5

    8988b694b9df9186d686b9479984c675

  • SHA1

    d54c8e34344c3b86cc883c2ffa89d020c0911755

  • SHA256

    0e9b75e527544aa8db9880eb423b73f0edfb79995be585eb2d69c735068d082e

  • SHA512

    72352807711c2a1799920fdc934ab3aaa1730b718447c8c70fefebb3c7243941feeb9c05f2eced48358ca114df789e97ad3be160b766e773312535de27d6e4c6

  • SSDEEP

    12288:Y7KAD7WCSbo4N2So9pGwINUbKbSZTlWxYGNhCJh7EW58M8zOGcbq1TT6ygvhNwEc:eK+Ms9fAkvhS+c9

Score
10/10
matiexzgratcollectionkeyloggerratspywarestealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1395392888:AAFrJovDdZICOFB0gX0eGWrAUzEKCRpv8xo/sendMessage?chat_id=1300181783

Signatures

  • Detect ZGRat V1 1 IoCs
  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main payload 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe
    "C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe
      "C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 2608
        3⤵
        • Program crash
        PID:3476
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 2964
    1⤵
      PID:4920

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8988b694b9df9186d686b9479984c675.exe.log
      Filesize

      886B

      MD5

      adee6fb564e48f4dbda9d98bd2aacad8

      SHA1

      f2f291e4460a2247d63df73ccb35dc7b53e266e7

      SHA256

      3399d074790192d222b9c886656f60bde71df3cff3103b10c88a4323386afd73

      SHA512

      c461ae2006d3cb512c2c9083102c72b34c31a54ea97e0aaa1c0353eb51bc2ea47f119065b47cd92f4aba7df86699a2dbe4c1e62a9be05fd058703ca84386d907

      Download Submit
    • memory/2964-10-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2964-17-0x00000000747C0000-0x0000000074F70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2964-16-0x0000000005A90000-0x0000000005AA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2964-15-0x0000000005880000-0x00000000058E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2964-13-0x00000000747C0000-0x0000000074F70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3412-4-0x0000000005260000-0x00000000052D6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3412-7-0x0000000005120000-0x000000000513E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3412-8-0x0000000005380000-0x00000000053E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3412-9-0x0000000005160000-0x0000000005176000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3412-6-0x0000000005460000-0x0000000005470000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3412-5-0x00000000052E0000-0x000000000537C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3412-0-0x00000000747C0000-0x0000000074F70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3412-14-0x00000000747C0000-0x0000000074F70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3412-3-0x00000000051C0000-0x0000000005252000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3412-2-0x00000000056D0000-0x0000000005C74000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3412-1-0x0000000000660000-0x000000000074A000-memory.dmp
      Filesize

      936KB

      Download