General

  • Target

    526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5

  • Size

    2.0MB

  • Sample

    201113-pxexg5xfze

  • MD5

    fc91265d814957f8963ca2ff8de8b689

  • SHA1

    18ce51ccfff15e04b958f95fd1ee3c82cdb2784f

  • SHA256

    526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5

  • SHA512

    5044b473116881cbf0c74a9758b1dbd88cd273d2a928ebac57a0d3a828ece13bdda8448e33b28c54caa0d44bdd3a5ab2ba2b44c09fd3bf6f6383689caf73286a

Malware Config

Targets

    • Target

      526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5

    • Size

      2.0MB

    • MD5

      fc91265d814957f8963ca2ff8de8b689

    • SHA1

      18ce51ccfff15e04b958f95fd1ee3c82cdb2784f

    • SHA256

      526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5

    • SHA512

      5044b473116881cbf0c74a9758b1dbd88cd273d2a928ebac57a0d3a828ece13bdda8448e33b28c54caa0d44bdd3a5ab2ba2b44c09fd3bf6f6383689caf73286a

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    • Echelon log file

      Detects a log file produced by Echelon.

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks