echelon | 562720cf37245f6bdf71692343b7d7ccc2187e45979e957b86407a21aa83854c

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 11:09

Target

69c10e8fa7d800c4a24b36dffec2cea7.exe
Size

2.4MB
MD5

69c10e8fa7d800c4a24b36dffec2cea7
SHA1

07bea76542382f9613d4de5da9b36abb3276988d
SHA256

562720cf37245f6bdf71692343b7d7ccc2187e45979e957b86407a21aa83854c
SHA512

4cd0dbb29192a8ebc31abd673aa7983a6e2f24e89cc684fb720777aaf5a692010c6f800e1f50b9ffbc9dea397d97a91118a0325cfc4337d83cb2296a6b68bd6f
SSDEEP

49152:IzecMn91vjBteouiARLrW8oj12yoYBGfUjAIgX2z2r:gu9dNtb4nWpjIYBCv9

Score

10^/10

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3024-1-0x00000000011D0000-0x0000000001786000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

pid	Process
3024	69c10e8fa7d800c4a24b36dffec2cea7.exe
3024	69c10e8fa7d800c4a24b36dffec2cea7.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2692	3024	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

description	pid	Process
Token: SeDebugPrivilege	3024	69c10e8fa7d800c4a24b36dffec2cea7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

pid	Process
3024	69c10e8fa7d800c4a24b36dffec2cea7.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

description	pid	Process	procid_target
PID 3024 wrote to memory of 2692	3024	69c10e8fa7d800c4a24b36dffec2cea7.exe	29
PID 3024 wrote to memory of 2692	3024	69c10e8fa7d800c4a24b36dffec2cea7.exe	29
PID 3024 wrote to memory of 2692	3024	69c10e8fa7d800c4a24b36dffec2cea7.exe	29
PID 3024 wrote to memory of 2692	3024	69c10e8fa7d800c4a24b36dffec2cea7.exe	29

C:\Users\Admin\AppData\Local\Temp\69c10e8fa7d800c4a24b36dffec2cea7.exe
"C:\Users\Admin\AppData\Local\Temp\69c10e8fa7d800c4a24b36dffec2cea7.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1100
  2⤵
  - Program crash
  PID:2692

memory/3024-0-0x00000000011D0000-0x0000000001786000-memory.dmp

Filesize
5.7MB

Download
memory/3024-2-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/3024-1-0x00000000011D0000-0x0000000001786000-memory.dmp

Filesize
5.7MB

Download
memory/3024-3-0x0000000001180000-0x00000000011C0000-memory.dmp

Filesize
256KB

Download
memory/3024-4-0x0000000006530000-0x00000000065A6000-memory.dmp

Filesize
472KB

Download
memory/3024-7-0x00000000011D0000-0x0000000001786000-memory.dmp

Filesize
5.7MB

Download
memory/3024-8-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download