Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26-12-2023 05:08
General
-
Target
56b9cbe1556dd419bec522a473a70a20.exe
-
Size
674KB
-
MD5
56b9cbe1556dd419bec522a473a70a20
-
SHA1
6077796a394c2235f87d02dfd14096ee3cc2fe78
-
SHA256
e74ba4cb7a8950928fb8bc8f3089ca49c295dd4197afb89ddcee666685da6c0a
-
SHA512
eccfb376ab6bbbe79e24b21fdd1c6c682675db04bb7b5574853eca30d79d9ee571a70ac3f7c29c933c2cbf906faca4c7cbbedd62e83194351f856bacf03bb57e
-
SSDEEP
12288:ILfpljJgZSsAjAuYcVWfs6MDMVqfBdcmDBuvXEVd:0JwcAuv0fKMVqJdczEVd
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\56b9cbe1556dd419bec522a473a70a20.exe"C:\Users\Admin\AppData\Local\Temp\56b9cbe1556dd419bec522a473a70a20.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
426B
MD542fa959509b3ed7c94c0cf3728b03f6d
SHA1661292176640beb0b38dc9e7a462518eb592d27d
SHA256870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00
SHA5127def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007
-
Filesize
92KB
MD59d74a09784ee33fa8fa012a68ff98820
SHA16b563f502cd94a21cd60af445642c5444a84231b
SHA256bc1dca99621de737964b943974f3a55dcc5b7c2841bd66f240714616d0afe8ba
SHA5124f7f349f14878dc82bc8ab6d3d67be4703ca0358c3c09e7a3e08907732082352dfbbf2a0d11320dc042acba9dfff31469fb88048df75f8a12b40b72cf694789d
-
Filesize
65KB
MD57e8d1d1be91fc3bcf2501ae8a797a194
SHA18139d1656fd59895d428af6721ca31a73e671f55
SHA256b0dd8e123cec48a8603e996c57f305e11c53362d782e16cd45c60693e02ad4b8
SHA512a6e9c7592a4037df056512d068d6e45cd08de125012b13f637d5678636e0dddaf99493168ba57e5f8883603ef35cc28d5855dd32144aa1ff239e64a0f521d07d
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
576KB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
10.8MB
-
Filesize
10.8MB