Malware Analysis Report

2024-11-15 06:30

Sample ID 210607-6wl9q5g1zj
Target supremacy.rar
SHA256 f3f48cabdadc02e92cae84ba7440239f273b97bb53d2c97988acff0c07c5baef
Tags
echelon discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3f48cabdadc02e92cae84ba7440239f273b97bb53d2c97988acff0c07c5baef

Threat Level: Known bad

The file supremacy.rar was found to be: Known bad.

Malicious Activity Summary

echelon discovery spyware stealer

Echelon

Echelon log file

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-06-07 19:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-06-07 19:01

Reported

2021-06-07 19:03

Platform

win10v20210408

Max time kernel

12s

Max time network

33s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\supremacy\slider.h.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\supremacy\slider.h.vbs"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-06-07 19:01

Reported

2021-06-07 19:03

Platform

win10v20210410

Max time kernel

14s

Max time network

23s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\supremacy\address.h.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\supremacy\address.h.vbs"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2021-06-07 19:01

Reported

2021-06-07 19:03

Platform

win10v20210410

Max time kernel

15s

Max time network

23s

Command Line

"C:\Users\Admin\AppData\Local\Temp\supremacy\.vs\supremacy_csgo\v16\Browse.VC-wal.db.exe"

Signatures

Echelon

stealer spyware echelon

Echelon log file

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\supremacy\.vs\supremacy_csgo\v16\Browse.VC-wal.db.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\supremacy\.vs\supremacy_csgo\v16\Browse.VC-wal.db.exe

"C:\Users\Admin\AppData\Local\Temp\supremacy\.vs\supremacy_csgo\v16\Browse.VC-wal.db.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 50.19.252.36:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 g.api.mega.co.nz udp
N/A 66.203.125.15:443 g.api.mega.co.nz tcp
N/A 8.8.8.8:53 gfs270n076.userstorage.mega.co.nz udp
N/A 89.44.168.240:80 gfs270n076.userstorage.mega.co.nz tcp

Files

memory/2680-114-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2680-116-0x0000000002470000-0x00000000024AE000-memory.dmp

memory/2680-117-0x00000000024B0000-0x00000000024BF000-memory.dmp

memory/2680-118-0x00000000024C0000-0x00000000024C9000-memory.dmp

memory/2680-119-0x0000000002440000-0x0000000002442000-memory.dmp

memory/2680-120-0x000000001B750000-0x000000001B768000-memory.dmp

memory/2680-121-0x000000001BA10000-0x000000001BA9D000-memory.dmp

memory/2680-122-0x000000001B7B0000-0x000000001B7B1000-memory.dmp