Overview

overview

10

Static

static

3

MxELZ3saa9aQNufK.exe

windows7-x64

10

MxELZ3saa9aQNufK.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0dbc7d1d1a1a39909fc5bd569bc623bb_JaffaCakes118

  • Size

    566KB

  • Sample

    240502-g25ntsdd34

  • MD5

    0dbc7d1d1a1a39909fc5bd569bc623bb

  • SHA1

    f3063a4eead8c3d13950d843a80211c4c561beb9

  • SHA256

    1f7d006c51d203f691d67a56b1f3b7cd80d33e96b36b359d48cdd837d281fc93

  • SHA512

    e2d4d8296ac78e3be7b4f8d308df5e759fa70694bd696cf21ad21ac6b26d0e2143d502e454fefffc78ec21b2cf459127a00ae58dfe5fa08a83bdfdf7f92a37fa

  • SSDEEP

    12288:9g40W9O7y9w36HIUiYOfBQg3BlkRFxEA2oLyMnJih5th6gZ:HOe+36FgR30RHUhbogZ

Score
10/10
matiexcollectionevasionkeyloggerspywarestealer

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    srvc13.turhost.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    italik2015

Targets

    • Target

      MxELZ3saa9aQNufK.exe

    • Size

      617KB

    • MD5

      035d33a4798c4baca26c4e1c29730004

    • SHA1

      105c51e37e962271334462f1bd440f8e4e3ad9ee

    • SHA256

      8d87d1e973d1ee16d747824541196d5df60298f4a8b0e24cf0ad684bb69b779c

    • SHA512

      f612ef1c177658827ed18ea2629dacff9188efbb413b4d883421deb76f625fbc44b23f2aefecd9527ff5c8f3e7513da3b9b5ed687f2914a3777679849917a583

    • SSDEEP

      12288:shPg0W3O7y3G369OUyYUf9Q83zlQRFtwi2YLqwzdkbRNSHxSrSlrTSW90FxG0ol:NOeW36FKv3+R3yb

    Score
    10/10
    matiexcollectionevasionkeyloggerspywarestealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks