General
-
Target
d117bb94ace706283addab84a8c3fcd5b93591fc527f0664299dcefabc2a90d3
-
Size
2.4MB
-
Sample
220320-cexbqaeeh2
-
MD5
2ce52a25ec3c74b4a0608e8d0fdec0ff
-
SHA1
d60c64e1333c214db1b37b3d706e10bbc794c3af
-
SHA256
d117bb94ace706283addab84a8c3fcd5b93591fc527f0664299dcefabc2a90d3
-
SHA512
9d90b5b6b2b599b791ee938786879cd27fb491878316292fa0e15d34d62060fd717a49bcbc2aa0079d74af053cb452cb82c83f535ce8cc0e871ca1e776fa8397
Malware Config
Targets
-
-
Target
d117bb94ace706283addab84a8c3fcd5b93591fc527f0664299dcefabc2a90d3
-
Size
2.4MB
-
MD5
2ce52a25ec3c74b4a0608e8d0fdec0ff
-
SHA1
d60c64e1333c214db1b37b3d706e10bbc794c3af
-
SHA256
d117bb94ace706283addab84a8c3fcd5b93591fc527f0664299dcefabc2a90d3
-
SHA512
9d90b5b6b2b599b791ee938786879cd27fb491878316292fa0e15d34d62060fd717a49bcbc2aa0079d74af053cb452cb82c83f535ce8cc0e871ca1e776fa8397
Score10/10-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Echelon log file
Detects a log file produced by Echelon.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-