Overview

overview

10

Static

static

NordVPNSetup.exe

windows7_x64

10

NordVPNSetup.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NordVPNSetup.exe

  • Size

    1.1MB

  • Sample

    210907-g6ps6sfcem

  • MD5

    1b01af0b820d4c8d3ebe3723cfefc5f8

  • SHA1

    32e5ee49475a930da2ffe199be41e7b639d1ae1b

  • SHA256

    eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e

  • SHA512

    f27f2ae8bc047cf392d4823898353901b83733a127c750adad4574c82e8371174666144b21938462f152a7be295143041adc3a43f8b05f4fb46ffbd7394445ae

Score
10/10
echelondiscoveryspywarestealer

Malware Config

Targets

    • Target

      NordVPNSetup.exe

    • Size

      1.1MB

    • MD5

      1b01af0b820d4c8d3ebe3723cfefc5f8

    • SHA1

      32e5ee49475a930da2ffe199be41e7b639d1ae1b

    • SHA256

      eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e

    • SHA512

      f27f2ae8bc047cf392d4823898353901b83733a127c750adad4574c82e8371174666144b21938462f152a7be295143041adc3a43f8b05f4fb46ffbd7394445ae

    Score
    10/10
    echelondiscoveryspywarestealer

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

      stealerspywareechelon

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks