Overview

overview

10

Static

static

3

6d991f9332...18.exe

windows7-x64

10

6d991f9332...18.exe

windows10-2004-x64

10

Resubmissions

27-07-2024 05:11

240727-fvc5kaygpl 10

25-07-2024 01:26

240725-btj49szbrl 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6d991f93327f70488011bf06ba799930_JaffaCakes118

  • Size

    730KB

  • Sample

    240727-fvc5kaygpl

  • MD5

    6d991f93327f70488011bf06ba799930

  • SHA1

    1b630a8c337cc48f9ec41cccc4352f51e7d51e71

  • SHA256

    abfc5a0bbf24e3dbc1c76c0734ea0b1ed6a0d5ff6f44f2a5a3e4e2f9317118c3

  • SHA512

    181be4ad5a549d51461fd8c9a470abac2895f51b5ec1cdba6927644ca0e8fb91663d8635ed5c98f4a90ae2752eb98b3235f106ee2d009cc885bdf6d0faadfe70

  • SSDEEP

    12288:tFda+FdahcQS8zfwkD/j1UGmy7eaqwVlXN8eR5dKFLtnoAf:8cn8zfwa1Dmyxrd8eqLt

Score
10/10
matiexcollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Targets

    • Target

      6d991f93327f70488011bf06ba799930_JaffaCakes118

    • Size

      730KB

    • MD5

      6d991f93327f70488011bf06ba799930

    • SHA1

      1b630a8c337cc48f9ec41cccc4352f51e7d51e71

    • SHA256

      abfc5a0bbf24e3dbc1c76c0734ea0b1ed6a0d5ff6f44f2a5a3e4e2f9317118c3

    • SHA512

      181be4ad5a549d51461fd8c9a470abac2895f51b5ec1cdba6927644ca0e8fb91663d8635ed5c98f4a90ae2752eb98b3235f106ee2d009cc885bdf6d0faadfe70

    • SSDEEP

      12288:tFda+FdahcQS8zfwkD/j1UGmy7eaqwVlXN8eR5dKFLtnoAf:8cn8zfwa1Dmyxrd8eqLt

    Score
    10/10
    matiexcollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main payload

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks