General

  • Target

    19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c

  • Size

    2.0MB

  • Sample

    201109-8gcfqqwmcx

  • MD5

    eb66520231ebf47315435acdfbb52691

  • SHA1

    482f7fa8e6169cba5de41141de61df9c7f609234

  • SHA256

    19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c

  • SHA512

    f5edb3e08b951c56df637d66ce0ea968bb8daabe32a2b91a339719ea220096fdec83c16a092bdfa9ac96b14450f571e00e88340238f49e17ab10895d45c3ceb2

Malware Config

Targets

    • Target

      19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c

    • Size

      2.0MB

    • MD5

      eb66520231ebf47315435acdfbb52691

    • SHA1

      482f7fa8e6169cba5de41141de61df9c7f609234

    • SHA256

      19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c

    • SHA512

      f5edb3e08b951c56df637d66ce0ea968bb8daabe32a2b91a339719ea220096fdec83c16a092bdfa9ac96b14450f571e00e88340238f49e17ab10895d45c3ceb2

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    • Echelon log file

      Detects a log file produced by Echelon.

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks