Overview

overview

10

Static

static

3

a27ba5e68c...19.exe

windows7-x64

10

a27ba5e68c...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-02-2024 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a27ba5e68cdd7333b8cd5e4ebd558019.exe

  • Size

    863KB

  • MD5

    a27ba5e68cdd7333b8cd5e4ebd558019

  • SHA1

    c4e6d99f3979003424ad4cc511a36434944c02b0

  • SHA256

    e42ba94ba2b856fdb7aa01b9dee11abd71c55b6fc15e1933a77269deedb57e88

  • SHA512

    2edfb1bae88e3088da81fbcf382fa7955998562817eb9f25bfaef6d82cbeb064c93764d1f9f127ad667543854109da6df84938cbb8d9b62eabf3a00ee5699ff1

  • SSDEEP

    12288:XZaaNwVY4K/EX7xzHMPq/2KAIoE2F27HFqkPNXyDxR8AVNHp+0ng13k/u:Ja3VDHtsz5hoHM4KxR8Mg

Score
10/10
echelonspywarestealer

Malware Config

Signatures

  • Detects Echelon Stealer payload 2 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a27ba5e68cdd7333b8cd5e4ebd558019.exe
    "C:\Users\Admin\AppData\Local\Temp\a27ba5e68cdd7333b8cd5e4ebd558019.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
      "C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2980
    • C:\Users\Admin\AppData\Local\Temp\98899.exe
      "C:\Users\Admin\AppData\Local\Temp\98899.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1152
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\98899.exe
    Filesize

    7KB

    MD5

    ac0a9390d50cbc5133523482b31e0735

    SHA1

    4d29f350e46df5672f87095033cdfe3710c58b42

    SHA256

    710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c

    SHA512

    a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64

    Download Submit

  • \Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
    Filesize

    1.0MB

    MD5

    c10aa673e83a05634292512446b5896d

    SHA1

    8ac8a1820c0f907412b8159476348ed690cfbaee

    SHA256

    6040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e

    SHA512

    2a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67

    Download Submit

  • memory/2572-16-0x0000000000B50000-0x0000000000B58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2572-19-0x0000000001FE0000-0x0000000002020000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2572-18-0x0000000073F60000-0x000000007464E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2572-28-0x0000000073F60000-0x000000007464E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2572-29-0x0000000001FE0000-0x0000000002020000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2980-15-0x0000000000C10000-0x0000000000D16000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2980-17-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2980-20-0x000000001BDB0000-0x000000001BE30000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2980-21-0x0000000002440000-0x00000000024B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2980-27-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

    Filesize

    9.9MB

    Download