General

  • Target

    Revised Invoice.exe

  • Size

    579KB

  • Sample

    210121-plarklpf82

  • MD5

    cbfb94a41abae103511d729b00687c7a

  • SHA1

    f491f44fbbaafb97275cc90ecaa37926534a6151

  • SHA256

    b9d37ce3380de623e8225b466fcd061db7f7828a2e39deace159e5c7f3455015

  • SHA512

    77bfe24a4b0dcc0badcf0b33fd1da5335fadf0e366db4411b0ca130fecefa288006c06cf5bf363edd1b038619e1f8654e0e88020c454e4b0399d906c17128a59

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    igbrusure@gmail.com
  • Password:
    mrruben0094

Extracted

Family

matiex

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    igbrusure@gmail.com
  • Password:
    mrruben0094

Targets

    • Target

      Revised Invoice.exe

    • Size

      579KB

    • MD5

      cbfb94a41abae103511d729b00687c7a

    • SHA1

      f491f44fbbaafb97275cc90ecaa37926534a6151

    • SHA256

      b9d37ce3380de623e8225b466fcd061db7f7828a2e39deace159e5c7f3455015

    • SHA512

      77bfe24a4b0dcc0badcf0b33fd1da5335fadf0e366db4411b0ca130fecefa288006c06cf5bf363edd1b038619e1f8654e0e88020c454e4b0399d906c17128a59

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main Payload

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks