echelon | f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2 | Triage

Submit
Reports

Overview

overview

Static

static

3

f210c6578c...c2.exe

windows7-x64

f210c6578c...c2.exe

windows10-2004-x64

Sharing

General

Target

f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2
Size

26.6MB
Sample

240225-bh8cqaad2t
MD5

0ca6c805da69fb131412fee821298139
SHA1

3dbb25eb358da6381e7097ac5a40273336ad8366
SHA256

f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2
SHA512

90fae09ee6a5759f96e4b6b9ed6fe8b0e6ff6afcce900e49ef09bb0ee8fcf467950690caab294c5abf3b99175ed1c63317fc53bff70ded509cd1ae2efb803214
SSDEEP

786432:Exsai8/g0usnG1KUUeuJ9+ChkQUIOmU3tS5CaHbkLmxRZdw:usr0ugG1KUoJ9+NQv9U3txCvw

Score

10^/10

echelon pyinstaller spyware stealer vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe

Resource

win7-20240221-en

echelon spyware stealer vmprotect

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe

Resource

win10v2004-20240221-en

echelon pyinstaller spyware stealer vmprotect

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2
- Size
  
  26.6MB
- MD5
  
  0ca6c805da69fb131412fee821298139
- SHA1
  
  3dbb25eb358da6381e7097ac5a40273336ad8366
- SHA256
  
  f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2
- SHA512
  
  90fae09ee6a5759f96e4b6b9ed6fe8b0e6ff6afcce900e49ef09bb0ee8fcf467950690caab294c5abf3b99175ed1c63317fc53bff70ded509cd1ae2efb803214
- SSDEEP
  
  786432:Exsai8/g0usnG1KUUeuJ9+ChkQUIOmU3tS5CaHbkLmxRZdw:usr0ugG1KUoJ9+NQv9U3txCvw
Score

10^/10

echelon spyware stealer vmprotect pyinstaller
- Detects Echelon Stealer payload
- Echelon
  Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
  stealer spyware echelon
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

echelonspywarestealervmprotect

behavioral2

echelonpyinstallerspywarestealervmprotect

© 2018-2024

Terms | Privacy