darkstealer | eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-en-20211208
submitted
06-03-2022 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
Size

2.4MB
MD5

32bef1e15011ae8f2e5b8b0ee40f947a
SHA1

6dad2a93b9487f0ea6caf96ddb8130fc3023bd7d
SHA256

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11
SHA512

528425df1243b8b8a4f66de94de7d50a31ecb4b4937800e44815ce3a70fe637228de5bcc0c6bf23590d656f77fc749b02b863d9e2417f30c848589fb43ec0167

Score

10^/10

darkstealer echelon backdoor collection discovery evasion spyware stealer trojan

Malware Config

Signatures

Darkstealer
Darkstealer is a file grabber, data stealer, and RAT.
trojan backdoor darkstealer
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Echelon - DarkStealer Fork 2 IoCs

Payload resembles modified variant of Echelon Stealer called DarkStealer.

stealer

Processes:

resource	yara_rule
behavioral1/memory/1664-62-0x00000000002F0000-0x00000000008C4000-memory.dmp	echelon_darkstealer
behavioral1/memory/1664-63-0x00000000002F0000-0x00000000008C4000-memory.dmp	echelon_darkstealer

Echelon log file 1 IoCs

Detects a log file produced by Echelon.

Processes:

yara_rule
echelon_log_file

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Wine	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
9	api.ipify.org
4	api.ipify.org
5	api.ipify.org
6	ip-api.com
8	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

pid	Process
1664	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

pid	Process
1664	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
1664	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
1664	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	pid	Process
Token: SeDebugPrivilege	1664	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

outlook_office_path 1 IoCs

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

outlook_win_path 1 IoCs

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

C:\Users\Admin\AppData\Local\Temp\eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
"C:\Users\Admin\AppData\Local\Temp\eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1664-56-0x0000000077990000-0x0000000077B10000-memory.dmp

Filesize
1.5MB

Download
memory/1664-57-0x00000000774A0000-0x0000000077590000-memory.dmp

Filesize
960KB

Download
memory/1664-58-0x0000000075830000-0x00000000758FC000-memory.dmp

Filesize
816KB

Download
memory/1664-59-0x00000000751C0000-0x000000007520A000-memory.dmp

Filesize
296KB

Download
memory/1664-60-0x0000000075130000-0x0000000075139000-memory.dmp

Filesize
36KB

Download
memory/1664-61-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1664-62-0x00000000002F0000-0x00000000008C4000-memory.dmp

Filesize
5.8MB

Download
memory/1664-63-0x00000000002F0000-0x00000000008C4000-memory.dmp

Filesize
5.8MB

Download
memory/1664-64-0x00000000750B0000-0x0000000075130000-memory.dmp

Filesize
512KB

Download
memory/1664-65-0x0000000075090000-0x000000007509B000-memory.dmp

Filesize
44KB

Download
memory/1664-66-0x0000000075CA0000-0x0000000075D23000-memory.dmp

Filesize
524KB

Download
memory/1664-67-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1664-68-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1664-69-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1664-70-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/1664-71-0x0000000073E30000-0x0000000073E47000-memory.dmp

Filesize
92KB

Download
memory/1664-72-0x000000006EDB0000-0x000000006EE02000-memory.dmp

Filesize
328KB

Download
memory/1664-73-0x0000000073E20000-0x0000000073E2D000-memory.dmp

Filesize
52KB

Download
memory/1664-74-0x000000006ECD0000-0x000000006ED28000-memory.dmp

Filesize
352KB

Download
memory/1664-75-0x0000000077040000-0x0000000077067000-memory.dmp

Filesize
156KB

Download
memory/1664-76-0x0000000075AF0000-0x0000000075C0D000-memory.dmp

Filesize
1.1MB

Download
memory/1664-77-0x0000000075AF0000-0x0000000075C0D000-memory.dmp

Filesize
1.1MB

Download
memory/1664-78-0x000000006ECD0000-0x000000006ED28000-memory.dmp

Filesize
352KB

Download
memory/1664-79-0x0000000075130000-0x0000000075139000-memory.dmp

Filesize
36KB

Download
memory/1664-80-0x0000000075830000-0x00000000758FC000-memory.dmp

Filesize
816KB

Download
memory/1664-81-0x00000000774A0000-0x0000000077590000-memory.dmp

Filesize
960KB

Download
memory/1664-82-0x000000006EB10000-0x000000006EB18000-memory.dmp

Filesize
32KB

Download
memory/1664-83-0x0000000077040000-0x0000000077067000-memory.dmp

Filesize
156KB

Download
memory/1664-85-0x000000006EDB0000-0x000000006EE02000-memory.dmp

Filesize
328KB

Download
memory/1664-84-0x0000000073E20000-0x0000000073E2D000-memory.dmp

Filesize
52KB

Download
memory/1664-86-0x000000006ED90000-0x000000006EDA5000-memory.dmp

Filesize
84KB

Download
memory/1664-87-0x0000000073E30000-0x0000000073E47000-memory.dmp

Filesize
92KB

Download
memory/1664-88-0x0000000075250000-0x00000000752D4000-memory.dmp

Filesize
528KB

Download
memory/1664-89-0x0000000075090000-0x000000007509B000-memory.dmp

Filesize
44KB

Download
memory/1664-91-0x00000000751C0000-0x000000007520A000-memory.dmp

Filesize
296KB

Download
memory/1664-90-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download