echelon | 74499fe96913a5ec1b89d8b79ca8bf2d3fd598c0d65339bd6d6223599f20aa7b

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-01-2024 11:14

Target

6d298ea9fddcb15bc12be3699b88724e.exe
Size

1.0MB
MD5

6d298ea9fddcb15bc12be3699b88724e
SHA1

946732233c9490060639a44ea593f2ccd6ddc30b
SHA256

74499fe96913a5ec1b89d8b79ca8bf2d3fd598c0d65339bd6d6223599f20aa7b
SHA512

40e40caaf22651eb749694b1827f1902c89935bb5f40baf7ec3c68bfd277b68bd76c3a7c54cfa4ce7959b7067b6fb00ec1513f57e330df7790a95e7ed6ebc8ed
SSDEEP

24576:PjE5gAVhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR4E:yo54clgLH+tkWJ0Nj

Score

10^/10

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2628-0-0x0000000001390000-0x0000000001496000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6d298ea9fddcb15bc12be3699b88724e.exe

description	pid	Process
Token: SeDebugPrivilege	2628	6d298ea9fddcb15bc12be3699b88724e.exe

C:\Users\Admin\AppData\Local\Temp\6d298ea9fddcb15bc12be3699b88724e.exe
"C:\Users\Admin\AppData\Local\Temp\6d298ea9fddcb15bc12be3699b88724e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

memory/2628-0-0x0000000001390000-0x0000000001496000-memory.dmp

Filesize
1.0MB

Download
memory/2628-1-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-2-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2628-3-0x00000000028A0000-0x0000000002916000-memory.dmp

Filesize
472KB

Download
memory/2628-4-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download