echelon | c3a19079975435934b29b6240b39aea2c5695657cbec4d5e27d862edf1c61c7a

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 18:15

Target

d6ca1276e7b7d3cb2b80c923344d224c.exe
Size

1.0MB
MD5

d6ca1276e7b7d3cb2b80c923344d224c
SHA1

aba6992aff5b194d04b003bfeeca7bb4ff7c94e3
SHA256

c3a19079975435934b29b6240b39aea2c5695657cbec4d5e27d862edf1c61c7a
SHA512

727ef205904c12df9b4b85323f54913f07fde65f4cd715ecdb6345ba65fd6be0b0b95e89759036f9a0c90ba4c17616c25707996f0aed93d57970c84b240056e5
SSDEEP

24576:tjE5uYGhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRyE:1o54clgLH+tkWJ0N9

Score

10^/10

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1400-0-0x00000000003C0000-0x00000000004C6000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d6ca1276e7b7d3cb2b80c923344d224c.exe

description	pid	Process
Token: SeDebugPrivilege	1400	d6ca1276e7b7d3cb2b80c923344d224c.exe

C:\Users\Admin\AppData\Local\Temp\d6ca1276e7b7d3cb2b80c923344d224c.exe
"C:\Users\Admin\AppData\Local\Temp\d6ca1276e7b7d3cb2b80c923344d224c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

memory/1400-0-0x00000000003C0000-0x00000000004C6000-memory.dmp

Filesize
1.0MB

Download
memory/1400-1-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/1400-2-0x000000001BE20000-0x000000001BEA0000-memory.dmp

Filesize
512KB

Download
memory/1400-3-0x000000001B2E0000-0x000000001B356000-memory.dmp

Filesize
472KB

Download
memory/1400-4-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download