echelon | 562720cf37245f6bdf71692343b7d7ccc2187e45979e957b86407a21aa83854c

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 11:09

Target

69c10e8fa7d800c4a24b36dffec2cea7.exe
Size

2.4MB
MD5

69c10e8fa7d800c4a24b36dffec2cea7
SHA1

07bea76542382f9613d4de5da9b36abb3276988d
SHA256

562720cf37245f6bdf71692343b7d7ccc2187e45979e957b86407a21aa83854c
SHA512

4cd0dbb29192a8ebc31abd673aa7983a6e2f24e89cc684fb720777aaf5a692010c6f800e1f50b9ffbc9dea397d97a91118a0325cfc4337d83cb2296a6b68bd6f
SSDEEP

49152:IzecMn91vjBteouiARLrW8oj12yoYBGfUjAIgX2z2r:gu9dNtb4nWpjIYBCv9

Score

10^/10

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3024-1-0x00000000011D0000-0x0000000001786000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

pid process

3024 69c10e8fa7d800c4a24b36dffec2cea7.exe
3024 69c10e8fa7d800c4a24b36dffec2cea7.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2692 3024 WerFault.exe 69c10e8fa7d800c4a24b36dffec2cea7.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

description pid process

Token: SeDebugPrivilege 3024 69c10e8fa7d800c4a24b36dffec2cea7.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

pid process

3024 69c10e8fa7d800c4a24b36dffec2cea7.exe

flow	ioc
2	api.ipify.org

pid	process
3024	69c10e8fa7d800c4a24b36dffec2cea7.exe
3024	69c10e8fa7d800c4a24b36dffec2cea7.exe

pid	pid_target	process	target process
2692	3024	WerFault.exe	69c10e8fa7d800c4a24b36dffec2cea7.exe

description	pid	process
Token: SeDebugPrivilege	3024	69c10e8fa7d800c4a24b36dffec2cea7.exe

pid	process
3024	69c10e8fa7d800c4a24b36dffec2cea7.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

description	pid	process	target process
PID 3024 wrote to memory of 2692	3024	69c10e8fa7d800c4a24b36dffec2cea7.exe	WerFault.exe
PID 3024 wrote to memory of 2692	3024	69c10e8fa7d800c4a24b36dffec2cea7.exe	WerFault.exe
PID 3024 wrote to memory of 2692	3024	69c10e8fa7d800c4a24b36dffec2cea7.exe	WerFault.exe
PID 3024 wrote to memory of 2692	3024	69c10e8fa7d800c4a24b36dffec2cea7.exe	WerFault.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1100
2⤵
- Program crash
PID:2692

memory/3024-0-0x00000000011D0000-0x0000000001786000-memory.dmp

Filesize
5.7MB

Download
memory/3024-2-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/3024-1-0x00000000011D0000-0x0000000001786000-memory.dmp

Filesize
5.7MB

Download
memory/3024-3-0x0000000001180000-0x00000000011C0000-memory.dmp

Filesize
256KB

Download
memory/3024-4-0x0000000006530000-0x00000000065A6000-memory.dmp

Filesize
472KB

Download
memory/3024-7-0x00000000011D0000-0x0000000001786000-memory.dmp

Filesize
5.7MB

Download
memory/3024-8-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download