Analysis
-
max time kernel
112s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
17-07-2020 08:58
General
-
Target
DataStealer from 1_2.exe
-
Size
1.2MB
-
MD5
7dba2e8ecbad5b33646e03a4af78967a
-
SHA1
f538fe80f76330e7d548e4f9b5171a56116d8e5e
-
SHA256
861878b319e66fd632f7d7623f0b56028f18d1e315680a15fc161a451ac9c788
-
SHA512
b6a5e07b0227a6acecfba1917de66099e42c69632333e49f75b4c8d8191cb268bea4c751be2afd763089ea205083a35cf6c2b8c15de02e3564a842d5c3d8d1c6
Score
10/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies system certificate store 2 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DataStealer from 1_2.exe"C:\Users\Admin\AppData\Local\Temp\DataStealer from 1_2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store