echelon | 62b0221391c3a3b97dc587329b5ecf17e4435515026072f2419503ceefc2a455

Analysis

max time kernel
139s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 01:19

Target

62b0221391c3a3b97dc587329b5ecf17e4435515026072f2419503ceefc2a455.exe
Size

780KB
MD5

d8cb800bdea9202ffcfe01bfcbf3f8da
SHA1

0c643c77649b59ddd141d9fa02724b1408d8ca28
SHA256

62b0221391c3a3b97dc587329b5ecf17e4435515026072f2419503ceefc2a455
SHA512

4eb5c8c6f3995d9311a39886a6f40b32074b45a0bd8b200b0dd047dc5d53d39e28dddf336cdffa2f5780097d0d28f5e0c0d8fcd68228755b840d95a2badbfbe9
SSDEEP

12288:9uReJkcXyjgJ7Isn1wA6BBkeDTONbIcAA:seKcnJ7IgwA6DCNbzB

Score

10^/10

Detects Echelon Stealer payload 1 IoCs

resource	yara_rule
behavioral2/memory/4260-0-0x000001F7F8D40000-0x000001F7F8E0A000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
3	api.ipify.org

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	62b0221391c3a3b97dc587329b5ecf17e4435515026072f2419503ceefc2a455.exe

C:\Users\Admin\AppData\Local\Temp\62b0221391c3a3b97dc587329b5ecf17e4435515026072f2419503ceefc2a455.exe
"C:\Users\Admin\AppData\Local\Temp\62b0221391c3a3b97dc587329b5ecf17e4435515026072f2419503ceefc2a455.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260

memory/4260-0-0x000001F7F8D40000-0x000001F7F8E0A000-memory.dmp

Filesize
808KB

Download
memory/4260-1-0x00007FFEA6D30000-0x00007FFEA77F1000-memory.dmp

Filesize
10.8MB

Download
memory/4260-2-0x000001F7FB2C0000-0x000001F7FB2D0000-memory.dmp

Filesize
64KB

Download
memory/4260-3-0x00007FFEA6D30000-0x00007FFEA77F1000-memory.dmp

Filesize
10.8MB

Download