Loading ...

Play interactive tourEdit tour

Analysis Report matiex.exe

Overview

General Information

Sample Name:matiex.exe
Analysis ID:255481
MD5:d1af1a8b0975b5c62a095f147e785535
SHA1:c98a74a0d5e41e07fc8ec2e35fa4f491abdd11d7
SHA256:4ea222802308d610bd7d4cc4034b7d29258c65bbd42580a87a8b1fec227fb11d

Most interesting Screenshot:

Detection

AgentTesla Matiex
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Yara detected Matiex Keylogger
Machine Learning detection for sample
May check the online IP address of the machine
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Enables debug privileges
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w10x64
  • matiex.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\matiex.exe' MD5: D1AF1A8B0975B5C62A095F147E785535)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
matiex.exeJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1270407315.0000000000082000.00000002.00020000.sdmpJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
      00000000.00000002.1539198677.0000000000082000.00000002.00020000.sdmpJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
        Process Memory Space: matiex.exe PID: 7088JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: matiex.exe PID: 7088JoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.matiex.exe.80000.0.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
              0.2.matiex.exe.80000.0.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Machine Learning detection for sampleShow sources
                Source: matiex.exeJoe Sandbox ML: detected

                Networking:

                barindex
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: checkip.dyndns.org
                Uses the Telegram API (likely for C&C communication)Show sources
                Source: unknownDNS query: name: api.telegram.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                Source: matiex.exe, 00000000.00000002.1548142982.0000000002552000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/Cloud
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudFlareIncECCCA-2.crt0
                Source: matiex.exe, 00000000.00000002.1551470524.0000000005C02000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
                Source: matiex.exe, 00000000.00000002.1551470524.0000000005C02000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
                Source: matiex.exe, 00000000.00000002.1547897960.00000000024E8000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: matiex.exe, 00000000.00000002.1547897960.00000000024E8000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: matiex.exe, 00000000.00000002.1547656174.0000000002461000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: matiex.exe, 00000000.00000002.1547712297.0000000002482000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB;jd
                Source: matiex.exe, 00000000.00000002.1547856217.00000000024D8000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4
                Source: matiex.exe, 00000000.00000002.1548054861.0000000002534000.00000004.00000001.sdmp, matiex.exe, 00000000.00000002.1547897960.00000000024E8000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8
                Source: matiex.exe, 00000000.00000002.1551470524.0000000005C02000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
                Source: matiex.exe, 00000000.00000002.1539969959.00000000007BA000.00000004.00000020.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudFlareIncECCCA2.crl06
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudFlareIncECCCA2.crl0L
                Source: matiex.exe, 00000000.00000002.1547897960.00000000024E8000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: matiex.exe, 00000000.00000002.1551470524.0000000005C02000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
                Source: matiex.exe, 00000000.00000002.1539969959.00000000007BA000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
                Source: matiex.exe, 00000000.00000002.1547712297.0000000002482000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: matiex.exe, 00000000.00000002.1548142982.0000000002552000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                Source: matiex.exe, 00000000.00000002.1548142982.0000000002552000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: matiex.exe, 00000000.00000002.1547656174.0000000002461000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactu
                Source: matiex.exe, 00000000.00000002.1548142982.0000000002552000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot962940633:AAFWOS5PMSGq49vE3MQVWuNLcoWDhmmugxg/sendDocument?chat_id=13926
                Source: matiex.exe, 00000000.00000002.1548142982.0000000002552000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
                Source: matiex.exe, 00000000.00000002.1547897960.00000000024E8000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                Source: matiex.exe, 00000000.00000002.1547897960.00000000024E8000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                Source: matiex.exe, 00000000.00000002.1548054861.0000000002534000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/91.132.136.174
                Source: matiex.exe, 00000000.00000002.1547897960.00000000024E8000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/91.132.136.174x
                Source: matiex.exe, 00000000.00000002.1547656174.0000000002461000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/
                Source: matiex.exe, 00000000.00000002.1547897960.00000000024E8000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4
                Source: matiex.exe, 00000000.00000002.1548054861.0000000002534000.00000004.00000001.sdmp, matiex.exe, 00000000.00000002.1548032374.000000000252C000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.appD8
                Source: matiex.exe, 00000000.00000002.1547656174.0000000002461000.00000004.00000001.sdmpString found in binary or memory: https://i.imgur.com/GJD7Q5y.png
                Source: matiex.exe, 00000000.00000002.1548054861.0000000002534000.00000004.00000001.sdmp, matiex.exe, 00000000.00000002.1547897960.00000000024E8000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                Source: matiex.exe, 00000000.00000002.1540368524.000000000088F000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: matiex.exe, 00000000.00000002.1548074433.000000000253D000.00000004.00000001.sdmpString found in binary or memory: https://www.geodatatool.com/en/?ip=
                Source: matiex.exe, 00000000.00000002.1548074433.000000000253D000.00000004.00000001.sdmpString found in binary or memory: https://www.geodatatool.com/en/?ip=91.132.136.174
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: matiex.exe, 00000000.00000002.1539969959.00000000007BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_000881530_2_00088153
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_0008BD9D0_2_0008BD9D
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_00A4E0A00_2_00A4E0A0
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_00A4E3E80_2_00A4E3E8
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_00A405C00_2_00A405C0
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_00A4ECB80_2_00A4ECB8
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_00A410800_2_00A41080
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_00A410700_2_00A41070
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_00A405B00_2_00A405B0
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_00A415880_2_00A41588
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_00A415980_2_00A41598
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_00A40B600_2_00A40B60
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_0008DC210_2_0008DC21
                Source: C:\Users\user\Desktop\matiex.exeCode function: 0_2_000853C30_2_000853C3
                Source: matiex.exeBinary or memory string: OriginalFilename vs matiex.exe
                Source: matiex.exe, 00000000.00000002.1539345664.00000000001C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs matiex.exe
                Source: matiex.exe, 00000000.00000002.1539969959.00000000007BA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs matiex.exe
                Source: matiex.exe, 00000000.00000002.1539388738.00000000004F6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs matiex.exe
                Source: matiex.exe, 00000000.00000000.1270434953.00000000000B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZ.exe4 vs matiex.exe
                Source: matiex.exe, 00000000.00000000.1270407315.0000000000082000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs matiex.exe
                Source: matiex.exe, 00000000.00000002.1551066808.0000000005660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs matiex.exe
                Source: matiex.exeBinary or memory string: OriginalFilenameVNXT.exe* vs matiex.exe
                Source: matiex.exeBinary or memory string: OriginalFilenameZ.exe4 vs matiex.exe
                Source: classification engineClassification label: mal72.troj.spyw.winEXE@1/0@5/3
                Source: matiex.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\matiex.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\matiex.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: matiex.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: matiex.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: matiex.exe
                Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: matiex.exe
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Users\user\Desktop\matiex.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Users\user\Desktop\matiex.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: matiex.exe, 00000000.00000002.1551066808.0000000005660000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: matiex.exe, 00000000.00000002.1551066808.0000000005660000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: matiex.exe, 00000000.00000002.1551066808.0000000005660000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: matiex.exe, 00000000.00000002.1540306725.0000000000876000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: matiex.exe, 00000000.00000002.1551066808.0000000005660000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\matiex.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeMemory allocated: page read and write | page guardJump to behavior
                Source: matiex.exe, 00000000.00000002.1540647487.0000000000EF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: matiex.exe, 00000000.00000002.1540647487.0000000000EF0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: matiex.exe, 00000000.00000002.1540647487.0000000000EF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: matiex.exe, 00000000.00000002.1540647487.0000000000EF0000.00000002.00000001.sdmpBinary or memory string: Program Manager@
                Source: C:\Users\user\Desktop\matiex.exeQueries volume information: C:\Users\user\Desktop\matiex.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\matiex.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: Process Memory Space: matiex.exe PID: 7088, type: MEMORY
                Yara detected Matiex KeyloggerShow sources
                Source: Yara matchFile source: matiex.exe, type: SAMPLE
                Source: Yara matchFile source: 00000000.00000000.1270407315.0000000000082000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1539198677.0000000000082000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: matiex.exe PID: 7088, type: MEMORY
                Source: Yara matchFile source: 0.0.matiex.exe.80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.matiex.exe.80000.0.unpack, type: UNPACKEDPE
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\matiex.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: Process Memory Space: matiex.exe PID: 7088, type: MEMORY
                Yara detected Matiex KeyloggerShow sources
                Source: Yara matchFile source: matiex.exe, type: SAMPLE
                Source: Yara matchFile source: 00000000.00000000.1270407315.0000000000082000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1539198677.0000000000082000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: matiex.exe PID: 7088, type: MEMORY
                Source: Yara matchFile source: 0.0.matiex.exe.80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.matiex.exe.80000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection1Virtualization/Sandbox Evasion1Input Capture1Security Software Discovery11Remote ServicesEmail Collection1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol13Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery24VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.