echelon | 0a0a341eb3849788273e62d2acd28de82942f01396c7543f85a5b8a8420e0c44

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 07:36

Target

a339a377abbfb9c0ee85652901cc67b3.exe
Size

1.0MB
MD5

a339a377abbfb9c0ee85652901cc67b3
SHA1

cbafbcefd502b16d4661a2da17fc6d04b34ee0cb
SHA256

0a0a341eb3849788273e62d2acd28de82942f01396c7543f85a5b8a8420e0c44
SHA512

a43ae5d6cf03c96ae757bdb97521562c64e7248d73791ecfae1498df4e9b7401d359bba5e56a3ba2c16cc0e6f30cfc6b9c421667353cb4677b98977c0082282d
SSDEEP

24576:JjE5gAVhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR4E:go54clgLH+tkWJ0Nj

Score

10^/10

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1660-0-0x0000000000320000-0x0000000000426000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	api.ipify.org
2	api.ipify.org

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a339a377abbfb9c0ee85652901cc67b3.exe

description	pid	Process
Token: SeDebugPrivilege	1660	a339a377abbfb9c0ee85652901cc67b3.exe

C:\Users\Admin\AppData\Local\Temp\a339a377abbfb9c0ee85652901cc67b3.exe
"C:\Users\Admin\AppData\Local\Temp\a339a377abbfb9c0ee85652901cc67b3.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

memory/1660-0-0x0000000000320000-0x0000000000426000-memory.dmp

Filesize
1.0MB

Download
memory/1660-1-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1660-2-0x000000001BAC0000-0x000000001BB40000-memory.dmp

Filesize
512KB

Download
memory/1660-3-0x0000000002470000-0x00000000024E6000-memory.dmp

Filesize
472KB

Download
memory/1660-4-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download