Analysis
-
max time kernel
15s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-06-2021 19:46
Static task
static1
Behavioral task
behavioral1
Sample
supremacy/.vs/supremacy_csgo/v16/Browse.VC-wal.db.exe
Resource
win7v20210410
General
-
Target
supremacy/.vs/supremacy_csgo/v16/Browse.VC-wal.db.exe
-
Size
531KB
-
MD5
c8e781071aced942d989823c2e1dc107
-
SHA1
80322b92c1d45bc1d9ccc31856e4b0be46159fce
-
SHA256
dbf5add59cbb4c99672f0213347c5392b36b9da91c27d5307ea561f298277945
-
SHA512
63af46c19ae796fe3de276b88f82fdfebd91a632593ce1c1d0b846e41bdf619cb0bc706b0e548646a46f5c363c65d5fc15f9458e96f292cefb699b9c244dfb67
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org 12 api.ipify.org 13 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Browse.VC-wal.db.exepid process 3196 Browse.VC-wal.db.exe 3196 Browse.VC-wal.db.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Browse.VC-wal.db.exedescription pid process Token: SeDebugPrivilege 3196 Browse.VC-wal.db.exe