darkstealer | eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11

General

Target

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
Size

2.4MB
MD5

32bef1e15011ae8f2e5b8b0ee40f947a
SHA1

6dad2a93b9487f0ea6caf96ddb8130fc3023bd7d
SHA256

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11
SHA512

528425df1243b8b8a4f66de94de7d50a31ecb4b4937800e44815ce3a70fe637228de5bcc0c6bf23590d656f77fc749b02b863d9e2417f30c848589fb43ec0167

Score

10^/10

darkstealer echelon backdoor collection discovery evasion spyware stealer trojan

Malware Config

Signatures

Darkstealer
Darkstealer is a file grabber, data stealer, and RAT.
trojan backdoor darkstealer
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Echelon - DarkStealer Fork 2 IoCs

Payload resembles modified variant of Echelon Stealer called DarkStealer.

stealer

Processes:

resource	yara_rule
behavioral2/memory/916-132-0x0000000000960000-0x0000000000F34000-memory.dmp	echelon_darkstealer
behavioral2/memory/916-133-0x0000000000960000-0x0000000000F34000-memory.dmp	echelon_darkstealer

Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

yara_rule
echelon_log_file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.ipify.org
27 api.ipify.org
28 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

pid process

916 eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

flow	ioc
26	api.ipify.org
27	api.ipify.org
28	ip-api.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

pid	process
916	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
916	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
916	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
916	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description pid process

Token: SeDebugPrivilege 916 eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	pid	process
Token: SeDebugPrivilege	916	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

outlook_office_path 1 IoCs

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

outlook_win_path 1 IoCs

Processes:

eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe

C:\Users\Admin\AppData\Local\Temp\eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe
"C:\Users\Admin\AppData\Local\Temp\eafd60610c62cf0ffd94bd168c68bab0084f9a1b4d737262392d23eb4428ad11.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-130-0x0000000077430000-0x00000000775D3000-memory.dmp

Filesize
1.6MB

Download
memory/916-131-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/916-132-0x0000000000960000-0x0000000000F34000-memory.dmp

Filesize
5.8MB

Download
memory/916-133-0x0000000000960000-0x0000000000F34000-memory.dmp

Filesize
5.8MB

Download
memory/916-134-0x0000000007A00000-0x0000000007A66000-memory.dmp

Filesize
408KB

Download
memory/916-135-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/916-136-0x00000000081A0000-0x000000000823C000-memory.dmp

Filesize
624KB

Download
memory/916-137-0x00000000083E0000-0x0000000008472000-memory.dmp

Filesize
584KB

Download
memory/916-138-0x0000000009210000-0x00000000097B4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads