echelon | e42ba94ba2b856fdb7aa01b9dee11abd71c55b6fc15e1933a77269deedb57e88

Analysis

max time kernel
116s
max time network
16s
platform
windows7_x64
resource
win7v20210408
submitted
30-07-2021 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pass.exe
Size

863KB
MD5

a27ba5e68cdd7333b8cd5e4ebd558019
SHA1

c4e6d99f3979003424ad4cc511a36434944c02b0
SHA256

e42ba94ba2b856fdb7aa01b9dee11abd71c55b6fc15e1933a77269deedb57e88
SHA512

2edfb1bae88e3088da81fbcf382fa7955998562817eb9f25bfaef6d82cbeb064c93764d1f9f127ad667543854109da6df84938cbb8d9b62eabf3a00ee5699ff1

Score

10^/10

echelon spyware stealer suricata

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Executes dropped EXE 2 IoCs

Processes:

CoderVir Stealer Love Lolz.guru.exe98899.exe

pid process

1428 CoderVir Stealer Love Lolz.guru.exe
1208 98899.exe
Loads dropped DLL 7 IoCs

Processes:

pass.exeWerFault.exe

pid process

1628 pass.exe
1628 pass.exe
1064 WerFault.exe
1064 WerFault.exe
1064 WerFault.exe
1064 WerFault.exe
1064 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 wtfismyip.com
8 wtfismyip.com
9 api.ipify.org
10 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1064 1208 WerFault.exe 98899.exe

pid	process
1428	CoderVir Stealer Love Lolz.guru.exe
1208	98899.exe

pid	process
1628	pass.exe
1628	pass.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe

flow	ioc
7	wtfismyip.com
8	wtfismyip.com
9	api.ipify.org
10	api.ipify.org

pid	pid_target	process	target process
1064	1208	WerFault.exe	98899.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

98899.exeWerFault.exeCoderVir Stealer Love Lolz.guru.exe

pid	process
1208	98899.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1428	CoderVir Stealer Love Lolz.guru.exe
1428	CoderVir Stealer Love Lolz.guru.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1064 WerFault.exe

pid	process
1064	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

98899.exeCoderVir Stealer Love Lolz.guru.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1208	98899.exe
Token: SeDebugPrivilege	1428	CoderVir Stealer Love Lolz.guru.exe
Token: SeDebugPrivilege	1064	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

pass.exe98899.exe

description	pid	process	target process
PID 1628 wrote to memory of 1428	1628	pass.exe	CoderVir Stealer Love Lolz.guru.exe
PID 1628 wrote to memory of 1428	1628	pass.exe	CoderVir Stealer Love Lolz.guru.exe
PID 1628 wrote to memory of 1428	1628	pass.exe	CoderVir Stealer Love Lolz.guru.exe
PID 1628 wrote to memory of 1428	1628	pass.exe	CoderVir Stealer Love Lolz.guru.exe
PID 1628 wrote to memory of 1208	1628	pass.exe	98899.exe
PID 1628 wrote to memory of 1208	1628	pass.exe	98899.exe
PID 1628 wrote to memory of 1208	1628	pass.exe	98899.exe
PID 1628 wrote to memory of 1208	1628	pass.exe	98899.exe
PID 1208 wrote to memory of 1064	1208	98899.exe	WerFault.exe
PID 1208 wrote to memory of 1064	1208	98899.exe	WerFault.exe
PID 1208 wrote to memory of 1064	1208	98899.exe	WerFault.exe
PID 1208 wrote to memory of 1064	1208	98899.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\pass.exe
"C:\Users\Admin\AppData\Local\Temp\pass.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
  "C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\98899.exe
  "C:\Users\Admin\AppData\Local\Temp\98899.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1248
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\98899.exe

MD5
ac0a9390d50cbc5133523482b31e0735

SHA1
4d29f350e46df5672f87095033cdfe3710c58b42

SHA256
710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c

SHA512
a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\98899.exe

MD5
ac0a9390d50cbc5133523482b31e0735

SHA1
4d29f350e46df5672f87095033cdfe3710c58b42

SHA256
710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c

SHA512
a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe

MD5
c10aa673e83a05634292512446b5896d

SHA1
8ac8a1820c0f907412b8159476348ed690cfbaee

SHA256
6040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e

SHA512
2a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe

MD5
c10aa673e83a05634292512446b5896d

SHA1
8ac8a1820c0f907412b8159476348ed690cfbaee

SHA256
6040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e

SHA512
2a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67

Download Submit
\Users\Admin\AppData\Local\Temp\98899.exe

MD5
ac0a9390d50cbc5133523482b31e0735

SHA1
4d29f350e46df5672f87095033cdfe3710c58b42

SHA256
710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c

SHA512
a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64

Download Submit
\Users\Admin\AppData\Local\Temp\98899.exe

MD5
ac0a9390d50cbc5133523482b31e0735

SHA1
4d29f350e46df5672f87095033cdfe3710c58b42

SHA256
710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c

SHA512
a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64

Download Submit
\Users\Admin\AppData\Local\Temp\98899.exe

MD5
ac0a9390d50cbc5133523482b31e0735

SHA1
4d29f350e46df5672f87095033cdfe3710c58b42

SHA256
710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c

SHA512
a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64

Download Submit
\Users\Admin\AppData\Local\Temp\98899.exe

MD5
ac0a9390d50cbc5133523482b31e0735

SHA1
4d29f350e46df5672f87095033cdfe3710c58b42

SHA256
710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c

SHA512
a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64

Download Submit
\Users\Admin\AppData\Local\Temp\98899.exe

MD5
ac0a9390d50cbc5133523482b31e0735

SHA1
4d29f350e46df5672f87095033cdfe3710c58b42

SHA256
710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c

SHA512
a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64

Download Submit
\Users\Admin\AppData\Local\Temp\98899.exe

MD5
ac0a9390d50cbc5133523482b31e0735

SHA1
4d29f350e46df5672f87095033cdfe3710c58b42

SHA256
710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c

SHA512
a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64

Download Submit
\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe

MD5
c10aa673e83a05634292512446b5896d

SHA1
8ac8a1820c0f907412b8159476348ed690cfbaee

SHA256
6040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e

SHA512
2a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67

Download Submit
memory/1064-83-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1064-77-0x0000000000000000-mapping.dmp

Download
memory/1208-66-0x0000000000000000-mapping.dmp

Download
memory/1208-71-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1208-74-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1428-75-0x00000000025A0000-0x0000000002611000-memory.dmp

Filesize
452KB

Download
memory/1428-76-0x0000000002630000-0x0000000002632000-memory.dmp

Filesize
8KB

Download
memory/1428-67-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1428-62-0x0000000000000000-mapping.dmp

Download
memory/1628-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download