Analysis
-
max time kernel
111s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
17-07-2020 08:53
General
-
Target
DataStealer (1).bin.exe
-
Size
1.1MB
-
MD5
0169eccba69a58cdffbb1dce2863ae8f
-
SHA1
9718f39bb9307a1b95d9bb403262ffce82758074
-
SHA256
9a3b89ea2396b22020fc8e3bde1b832ca70d8b875b088f451f54e85f359380df
-
SHA512
97ca44993d2a1cf2ecbd423b29bbcea2a500de96b7f7a899ed77d5836f1d111311ee19770c1a20caffeeadc64ccb98e86d1618779b48470f29f94d0eb5f75750
Score
10/10
Malware Config
Signatures
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DataStealer (1).bin.exe"C:\Users\Admin\AppData\Local\Temp\DataStealer (1).bin.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses