echelon | bd23616c42c1b6ea98023106c685acb6489891829a00ebb1dc20e6f6195c6052

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
13-12-2023 03:16

Target

bd23616c42c1b6ea98023106c685acb6489891829a00ebb1dc20e6f6195c6052.exe
Size

592KB
MD5

b68223a4d927ead8b92eefcdbc687ac0
SHA1

89c0f5f856b3645b701375a4cd12808431794607
SHA256

bd23616c42c1b6ea98023106c685acb6489891829a00ebb1dc20e6f6195c6052
SHA512

a0681631b854100f2845306af3a56a93d493aa55dac9b4c2fdbe544db4fea62be20f9a25d44fa748057cf95978500887c8b0ab2afc4374f403c3aeeaea5f4ba2
SSDEEP

12288:V6urSvuKZLJLUf9snBS4csPYae6qfzfAA:EvuKhhUF54clNf7fB

Score

10^/10

Detects Echelon Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/2132-0-0x00000000010D0000-0x000000000116A000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	bd23616c42c1b6ea98023106c685acb6489891829a00ebb1dc20e6f6195c6052.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2648	2132	bd23616c42c1b6ea98023106c685acb6489891829a00ebb1dc20e6f6195c6052.exe	29
PID 2132 wrote to memory of 2648	2132	bd23616c42c1b6ea98023106c685acb6489891829a00ebb1dc20e6f6195c6052.exe	29
PID 2132 wrote to memory of 2648	2132	bd23616c42c1b6ea98023106c685acb6489891829a00ebb1dc20e6f6195c6052.exe	29

C:\Users\Admin\AppData\Local\Temp\bd23616c42c1b6ea98023106c685acb6489891829a00ebb1dc20e6f6195c6052.exe
"C:\Users\Admin\AppData\Local\Temp\bd23616c42c1b6ea98023106c685acb6489891829a00ebb1dc20e6f6195c6052.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2132 -s 1352
  2⤵
  PID:2648

memory/2132-0-0x00000000010D0000-0x000000000116A000-memory.dmp

Filesize
616KB

Download
memory/2132-1-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-2-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/2132-3-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-4-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download