General
-
Target
729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6
-
Size
1.7MB
-
Sample
220503-x1yf5aafd6
-
MD5
caea94dab0c8720bd97447d7f9e1ecb8
-
SHA1
f3eb2519d75901b6c8fc6107bd354b013e6a0b71
-
SHA256
729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6
-
SHA512
7752ae0ca4cece6e444af17c50c5cd2226f4c051674286529bf23c4e9f540455e54d969ab2988a7c580beb88be515bf59494b81516a3f9faafe6514123f9ecdb
Malware Config
Targets
-
-
Target
729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6
-
Size
1.7MB
-
MD5
caea94dab0c8720bd97447d7f9e1ecb8
-
SHA1
f3eb2519d75901b6c8fc6107bd354b013e6a0b71
-
SHA256
729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6
-
SHA512
7752ae0ca4cece6e444af17c50c5cd2226f4c051674286529bf23c4e9f540455e54d969ab2988a7c580beb88be515bf59494b81516a3f9faafe6514123f9ecdb
Score10/10-
Darkstealer
Darkstealer is a file grabber, data stealer, and RAT.
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Echelon - DarkStealer Fork
Payload resembles modified variant of Echelon Stealer called DarkStealer.
-
Echelon log file
Detects a log file produced by Echelon.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-