echelon | 3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250

Analysis

max time kernel
74s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 01:11

Target

3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250.exe
Size

592KB
MD5

07bfa6051124f24ce093d2cf828a7478
SHA1

c033ff32763829291f88ba29a4a7e8bdb5482156
SHA256

3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250
SHA512

11e1d37d42df8bf88d6b5e121ae4f825584969654c4c5892a9bb333e89ed49361859d7f0b04e8c8c63a92fb2185c5c6778e5e82480fa0341805dfe54522147a4
SSDEEP

12288:Y6urSvuRZLJLUf9snBS4csPYae6qfzcbAA:VvuRhhUF54clNf7cbB

Score

10^/10

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-0-0x0000000001390000-0x000000000142A000-memory.dmp	family_echelon
behavioral1/memory/2780-2-0x000000001B0C0000-0x000000001B140000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
3 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250.exe

description pid process

Token: SeDebugPrivilege 2780 3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250.exe

flow	ioc
2	api.ipify.org
3	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	2780	3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250.exe

description	pid	process	target process
PID 2780 wrote to memory of 2020	2780	3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250.exe	WerFault.exe
PID 2780 wrote to memory of 2020	2780	3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250.exe	WerFault.exe
PID 2780 wrote to memory of 2020	2780	3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250.exe
"C:\Users\Admin\AppData\Local\Temp\3bfc582afc5a8ba63fe6d6fa7cf4633b0866ff70e7b0d7b6631f9dfdd3b37250.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2780 -s 1228
  2⤵
  PID:2020

memory/2780-0-0x0000000001390000-0x000000000142A000-memory.dmp

Filesize
616KB

Download
memory/2780-1-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-2-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2780-3-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download