templezx.exe

General
Target

templezx.exe

Filesize

563KB

Completed

27-07-2021 15:23

Score
10/10
MD5

2b1679e8ba0a15c211922ced9909c89e

SHA1

e1ea8f4ecd4b01f87275d3bd13c101facfbe9408

SHA256

70351038cf49fc5bf127e4f7df1c563ec036293cbc00010ade2364e0ee311a27

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: mail.bundabergtrophies.com.au

Port: 587

Username: admin@bundabergtrophies.com.au

Password: nKlnBbMZLI

Signatures 10

Filter: none

Collection
Credential Access
  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3680-121-0x0000000004F30000-0x0000000004F3B000-memory.dmpCustAttr
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    15checkip.dyndns.org
    17freegeoip.app
    18freegeoip.app
  • Suspicious use of SetThreadContext
    templezx.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3680 set thread context of 4123680templezx.exetemplezx.exe
  • Suspicious behavior: EnumeratesProcesses
    templezx.exe

    Reported IOCs

    pidprocess
    412templezx.exe
  • Suspicious use of AdjustPrivilegeToken
    templezx.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege412templezx.exe
  • Suspicious use of WriteProcessMemory
    templezx.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3680 wrote to memory of 4123680templezx.exetemplezx.exe
    PID 3680 wrote to memory of 4123680templezx.exetemplezx.exe
    PID 3680 wrote to memory of 4123680templezx.exetemplezx.exe
    PID 3680 wrote to memory of 4123680templezx.exetemplezx.exe
    PID 3680 wrote to memory of 4123680templezx.exetemplezx.exe
    PID 3680 wrote to memory of 4123680templezx.exetemplezx.exe
    PID 3680 wrote to memory of 4123680templezx.exetemplezx.exe
    PID 3680 wrote to memory of 4123680templezx.exetemplezx.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\templezx.exe
    "C:\Users\Admin\AppData\Local\Temp\templezx.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Users\Admin\AppData\Local\Temp\templezx.exe
      "C:\Users\Admin\AppData\Local\Temp\templezx.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:412
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\templezx.exe.log

                        MD5

                        c3cc52ccca9ff2b6fa8d267fc350ca6b

                        SHA1

                        a68d4028333296d222e4afd75dea36fdc98d05f3

                        SHA256

                        3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

                        SHA512

                        b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

                      • memory/412-132-0x00000000067F0000-0x00000000067F1000-memory.dmp

                      • memory/412-131-0x0000000005420000-0x000000000591E000-memory.dmp

                      • memory/412-125-0x000000000041F89E-mapping.dmp

                      • memory/412-124-0x0000000000400000-0x0000000000424000-memory.dmp

                      • memory/3680-122-0x00000000070E0000-0x0000000007146000-memory.dmp

                      • memory/3680-121-0x0000000004F30000-0x0000000004F3B000-memory.dmp

                      • memory/3680-120-0x0000000004AD0000-0x0000000004FCE000-memory.dmp

                      • memory/3680-123-0x0000000007150000-0x0000000007176000-memory.dmp

                      • memory/3680-119-0x0000000004B70000-0x0000000004B71000-memory.dmp

                      • memory/3680-118-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

                      • memory/3680-117-0x0000000004B80000-0x0000000004B81000-memory.dmp

                      • memory/3680-116-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

                      • memory/3680-114-0x0000000000170000-0x0000000000171000-memory.dmp