templezx.exe

General
Target

templezx.exe

Filesize

563KB

Completed

27-07-2021 16:35

Score
10 /10
MD5

2b1679e8ba0a15c211922ced9909c89e

SHA1

e1ea8f4ecd4b01f87275d3bd13c101facfbe9408

SHA256

70351038cf49fc5bf127e4f7df1c563ec036293cbc00010ade2364e0ee311a27

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: mail.bundabergtrophies.com.au

Port: 587

Username: admin@bundabergtrophies.com.au

Password: nKlnBbMZLI

Signatures 10

Filter: none

Collection
Credential Access
  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3128-121-0x0000000002410000-0x000000000241B000-memory.dmpCustAttr
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    13checkip.dyndns.org
    15freegeoip.app
    16freegeoip.app
  • Suspicious use of SetThreadContext
    templezx.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3128 set thread context of 29523128templezx.exetemplezx.exe
  • Suspicious behavior: EnumeratesProcesses
    templezx.exe

    Reported IOCs

    pidprocess
    2952templezx.exe
  • Suspicious use of AdjustPrivilegeToken
    templezx.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2952templezx.exe
  • Suspicious use of WriteProcessMemory
    templezx.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3128 wrote to memory of 29523128templezx.exetemplezx.exe
    PID 3128 wrote to memory of 29523128templezx.exetemplezx.exe
    PID 3128 wrote to memory of 29523128templezx.exetemplezx.exe
    PID 3128 wrote to memory of 29523128templezx.exetemplezx.exe
    PID 3128 wrote to memory of 29523128templezx.exetemplezx.exe
    PID 3128 wrote to memory of 29523128templezx.exetemplezx.exe
    PID 3128 wrote to memory of 29523128templezx.exetemplezx.exe
    PID 3128 wrote to memory of 29523128templezx.exetemplezx.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\templezx.exe
    "C:\Users\Admin\AppData\Local\Temp\templezx.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\templezx.exe
      "C:\Users\Admin\AppData\Local\Temp\templezx.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2952
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/2952-131-0x00000000050F0000-0x00000000055EE000-memory.dmp

                      • memory/2952-130-0x0000000006380000-0x0000000006381000-memory.dmp

                      • memory/2952-125-0x000000000041F89E-mapping.dmp

                      • memory/2952-124-0x0000000000400000-0x0000000000424000-memory.dmp

                      • memory/3128-121-0x0000000002410000-0x000000000241B000-memory.dmp

                      • memory/3128-120-0x0000000004B10000-0x000000000500E000-memory.dmp

                      • memory/3128-119-0x00000000049D0000-0x00000000049D1000-memory.dmp

                      • memory/3128-122-0x0000000006FA0000-0x0000000007006000-memory.dmp

                      • memory/3128-123-0x0000000004FB0000-0x0000000004FD6000-memory.dmp

                      • memory/3128-118-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

                      • memory/3128-117-0x00000000049E0000-0x00000000049E1000-memory.dmp

                      • memory/3128-116-0x0000000005010000-0x0000000005011000-memory.dmp

                      • memory/3128-114-0x0000000000120000-0x0000000000121000-memory.dmp