echelon | c322a19f7b453ed4b9b03817eedc08e88cd8858fd19de799da20603b2d8f5b90 | Triage

Submit
Reports

Overview

overview

Static

static

Lucky SkinChanger.exe

windows10-2004_x64

Sharing

General

Target

Lucky SkinChanger.rar
Size

1.8MB
Sample

220209-gvx1eahfdm
MD5

2d2a51e73f7d6ead1dcf6f3945e61edc
SHA1

3cb5f60fd3321001da79d29966103a6987a6540e
SHA256

c322a19f7b453ed4b9b03817eedc08e88cd8858fd19de799da20603b2d8f5b90
SHA512

c39b6a1ed6d8aeb16eb1633321f9fbab0da3e7e1dd1c6beb576be2b3bf1cadad321fa2b5a3b099e692a6643e957a78f2b0ed32cc6e39ccf2418e6b2dbeeb8fc1

Score

10^/10

echelon redline sapphire infostealer spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

Lucky SkinChanger.exe

Resource

win10v2004-en-20220113

echelon redline sapphire infostealer spyware stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

sapphire

C2

185.230.143.237:2548

Targets

- Target
  
  Lucky SkinChanger.exe
- Size
  
  2.1MB
- MD5
  
  795a68d97113af5bfe54e3b0250ee2d4
- SHA1
  
  65d1bd69f7fb761ffe0831548b41af9d107692db
- SHA256
  
  1800e21eac1384cd70ce9edc4b58301eb632eb01489481034a3cd292314dc9ff
- SHA512
  
  b87ecd159a781b83fb1e59c6e2aa372f364047832081920c2f8cb1699793536066b5e9150ec447dc280540bb5032aca5da0a1302892d561820009f95ae747990
Score

10^/10

echelon redline sapphire infostealer spyware stealer suricata
- Echelon
  Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
  stealer spyware echelon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

echelonredlinesapphireinfostealerspywarestealersuricata

© 2018-2024

Terms | Privacy