echelon | 9258fb579d6597ae1cb061dc2dfcd3fdbc6d689f4844bae159bb3f75b9c1b8f6

Analysis

max time kernel
9s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b2fd6cfa20b53ed6d5d55c97ba3884f.exe
Size

1.5MB
MD5

3b2fd6cfa20b53ed6d5d55c97ba3884f
SHA1

a19518b371bc708790bab3f3769d9472559a7de5
SHA256

9258fb579d6597ae1cb061dc2dfcd3fdbc6d689f4844bae159bb3f75b9c1b8f6
SHA512

339b9da108e46690d2c3363c8bedd1bb1f05b6e538b4befc49a44955a3a7f337a4f3e8605b42a15ac1ab36834318e7a82de191d759c05c6291d0551591551f73
SSDEEP

24576:ox1k70TrcnXpatsCu7IfLKZnikPhhUF54clNf7+6uHAW92zt/sWu2BSMCqD8kgbS:ox1kQTA5Qw7CSikJo54clgLH+tkWJ0Zb

Score

10^/10

echelon zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2920-18-0x0000000004830000-0x00000000048CC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-21-0x0000000004790000-0x000000000482A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-22-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-27-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-35-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-41-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-39-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-37-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-33-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-31-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-29-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-25-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1
behavioral1/memory/2920-23-0x0000000004790000-0x0000000004824000-memory.dmp	family_zgrat_v1

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1704-0-0x00000000001B0000-0x0000000000334000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	freegeoip.app
5	freegeoip.app
2	api.ipify.org
3	api.ipify.org

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2596	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3b2fd6cfa20b53ed6d5d55c97ba3884f.exe

description	pid	Process
Token: SeDebugPrivilege	1704	3b2fd6cfa20b53ed6d5d55c97ba3884f.exe

C:\Users\Admin\AppData\Local\Temp\3b2fd6cfa20b53ed6d5d55c97ba3884f.exe
"C:\Users\Admin\AppData\Local\Temp\3b2fd6cfa20b53ed6d5d55c97ba3884f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
  2⤵
  PID:2568
- - C:\Windows\system32\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:2596
- C:\ProgramData\Decoder.exe
  "C:\ProgramData\Decoder.exe"
  2⤵
  PID:2920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1704-0-0x00000000001B0000-0x0000000000334000-memory.dmp

Filesize
1.5MB

Download
memory/1704-1-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/1704-2-0x0000000000660000-0x00000000006E0000-memory.dmp

Filesize
512KB

Download
memory/1704-3-0x000000001A990000-0x000000001AA06000-memory.dmp

Filesize
472KB

Download
memory/1704-15-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2920-18-0x0000000004830000-0x00000000048CC000-memory.dmp

Filesize
624KB

Download
memory/2920-20-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2920-19-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2920-17-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2920-16-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-21-0x0000000004790000-0x000000000482A000-memory.dmp

Filesize
616KB

Download
memory/2920-22-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-27-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-35-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-47-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-57-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-67-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-75-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-83-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-85-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-81-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-79-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-77-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-73-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-71-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-69-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-65-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-63-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-61-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-59-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-55-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-53-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-51-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-49-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-45-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-43-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-41-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-39-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-37-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-33-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-31-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-29-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-25-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-23-0x0000000004790000-0x0000000004824000-memory.dmp

Filesize
592KB

Download
memory/2920-471-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2920-470-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-522-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2920-525-0x0000000004E20000-0x0000000004E96000-memory.dmp

Filesize
472KB

Download
memory/2920-541-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2920-542-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2920-543-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2920-545-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download