Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 02:01
Behavioral task
behavioral1
Sample
fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe
Resource
win10v2004-20240226-en
General
-
Target
fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe
-
Size
573KB
-
MD5
ee000a7fa90440f296205d2bd9c94a23
-
SHA1
a497e8634d42a15afc7004b010b1c2bc8fc71b93
-
SHA256
fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2
-
SHA512
7b1fa56b033485dd67595c95122e4c73dad54f41f4366faa69d56ed7d8095eb745e591cc2601ad647d3127ba5481be8d1d99f07aa74fb89c47651f2f3e17248d
-
SSDEEP
12288:6tYZ/ZLVO2tyAZLJLUf9snBS4csPYae6qfzuQA3r/:6tYZxLBhhUF54clNf7uR3r/
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral2/memory/1392-0-0x00000279CF410000-0x00000279CF4A6000-memory.dmp family_echelon -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 api.ipify.org 10 api.ipify.org 52 ip-api.com -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1392 fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe 1392 fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe 1392 fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1392 fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe"C:\Users\Admin\AppData\Local\Temp\fbb2992be0509961aa9592a99cd13bdaac8eb4ab140672977fc882bcaf7f8fe2.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1392