Analysis
-
max time kernel
133s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-04-2022 09:34
General
-
Target
f6fdbda19458f6eb1380e0e0aaaaf979c49221c4c2a0255d9f78cb9112bdb239.exe
-
Size
786KB
-
MD5
7c9d76a439b166b02a57b7844f3eaf8b
-
SHA1
3fd3ab56d920cd366ef709f227261efe8c843582
-
SHA256
f6fdbda19458f6eb1380e0e0aaaaf979c49221c4c2a0255d9f78cb9112bdb239
-
SHA512
048bcbd394b053b2f61c544ab98b25da965c64820dbbf09c7aebf9201086cf530e106d6d458818c9e858f48d85df810c31fa5bd765825d05168818e5ef15f2fe
Malware Config
Signatures
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
suricata: ET MALWARE Observed Malicious SSL Cert (Moist Stealer CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (Moist Stealer CnC)
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6fdbda19458f6eb1380e0e0aaaaf979c49221c4c2a0255d9f78cb9112bdb239.exe"C:\Users\Admin\AppData\Local\Temp\f6fdbda19458f6eb1380e0e0aaaaf979c49221c4c2a0255d9f78cb9112bdb239.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f6fdbda19458f6eb1380e0e0aaaaf979c49221c4c2a0255d9f78cb9112bdb239.exe"C:\Users\Admin\AppData\Local\Temp\f6fdbda19458f6eb1380e0e0aaaaf979c49221c4c2a0255d9f78cb9112bdb239.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B62.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c3aa504d1c7765905adabb45cdb8a9ac
SHA19e267ff0492927b287a0d14225ade45304bf304d
SHA2568531e342939d35c6183ee942bdf73298b921e1d6138426f7040aa2774495e8d7
SHA512546a734104d35610204e3c8e0f080056f53a49f0b4db7824e5c985080b64f403794c1dda897ebb0d659ed3912913cfddab29bd713710159ff77bf68dba2a925a
-
Filesize
110B
MD560c8552c68fe16d2fd1b9ef274e3b022
SHA1258fa43d77c7f3e0459a4338cfaa92dbf98710ad
SHA256015b6c8a5a9b2edd30c03a2177cd190aadf1db6d00b25a312df705d417a9e396
SHA512f80a7f8c1e8d75f8966f742075d97db79d678674b01fcd1b3e9be27345a646116db55997269a0e1e0c61030d31ce1396d0c8fa10731c96d4d7c4fde89572354a
-
-
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
808KB
-
Filesize
5.6MB
-
Filesize
584KB
-