matiex | 5995d49dd8ebd718b0232c7eb37a8f81996be3f9d76b5c76bdcd2dbf09302648

General

Target

9ef4e0f2ee00f17614f4eb5d39686051.exe
Size

880KB
MD5

9ef4e0f2ee00f17614f4eb5d39686051
SHA1

f1c0a8539699522b0f29a01ee99334d823e9d356
SHA256

5995d49dd8ebd718b0232c7eb37a8f81996be3f9d76b5c76bdcd2dbf09302648
SHA512

56b8c58c99bfe73944ff144faaae2a8dc6bb44c6cad4e4c5d82447f1d7085d5b78739111d387a08f6f6c4f5b8677f7ede4697816aee2b894d6029a1050ea12ed
SSDEEP

12288:u6csGI/cgDF5gHMm6oAuUSzdnyTLfhiWBB9zI8WuZGH/0yr63km62EObbo:uKLgsrZQxnynfhiQn4zrS2

Score

10^/10

matiex collection keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.thts.vn
Port:
25
Username:
[email protected]
Password:
123luongngan1989
Email To:
[email protected]

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 1 IoCs

resource	yara_rule
behavioral2/memory/4740-13-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	checkip.dyndns.org
48	freegeoip.app
49	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4696 set thread context of 4740	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	93

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1028	4740	WerFault.exe	93

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings\shell\open\command\	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings\shell\open\command	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings\shell	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\ms-settings\shell\open	vbc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4696	9ef4e0f2ee00f17614f4eb5d39686051.exe
4696	9ef4e0f2ee00f17614f4eb5d39686051.exe
4740	vbc.exe
4740	vbc.exe
4740	vbc.exe
4740	vbc.exe
4740	vbc.exe
4740	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe
Token: SeDebugPrivilege	4740	vbc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 2528	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	92
PID 4696 wrote to memory of 2528	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	92
PID 4696 wrote to memory of 2528	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	92
PID 4696 wrote to memory of 4740	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	93
PID 4696 wrote to memory of 4740	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	93
PID 4696 wrote to memory of 4740	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	93
PID 4696 wrote to memory of 4740	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	93
PID 4696 wrote to memory of 4740	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	93
PID 4696 wrote to memory of 4740	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	93
PID 4696 wrote to memory of 4740	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	93
PID 4696 wrote to memory of 4740	4696	9ef4e0f2ee00f17614f4eb5d39686051.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Users\Admin\AppData\Local\Temp\9ef4e0f2ee00f17614f4eb5d39686051.exe
"C:\Users\Admin\AppData\Local\Temp\9ef4e0f2ee00f17614f4eb5d39686051.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 2012
    3⤵
    - Program crash
    PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4740 -ip 4740
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4696-10-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/4696-0-0x0000000000890000-0x0000000000972000-memory.dmp

Filesize
904KB

Download
memory/4696-2-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/4696-3-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/4696-4-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/4696-5-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/4696-6-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/4696-15-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4696-8-0x0000000005660000-0x0000000005678000-memory.dmp

Filesize
96KB

Download
memory/4696-1-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4696-7-0x00000000056B0000-0x0000000005706000-memory.dmp

Filesize
344KB

Download
memory/4696-11-0x0000000009310000-0x00000000093AA000-memory.dmp

Filesize
616KB

Download
memory/4696-12-0x000000000BB10000-0x000000000BB8C000-memory.dmp

Filesize
496KB

Download
memory/4696-9-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4740-18-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/4740-16-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4740-17-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/4740-13-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4740-19-0x0000000006AE0000-0x0000000006CA2000-memory.dmp

Filesize
1.8MB

Download
memory/4740-20-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing