echelon | 84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 01:28

Target

84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe
Size

581KB
MD5

ef058437296cfc61901c367927a3ff4b
SHA1

3ad2da48fab1901a345fa1bd66d0de3ed0356346
SHA256

84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7
SHA512

6063698b00c5abc241bd95a08807b1e31b4fe3fb75948ec8f036b55fa05c95c7aba8598846fcf78a5423da60ec6f915f6c8d835f900ea0bd384f5505b9a12c81
SSDEEP

12288:MiZA7E95GUmdgPp+ryZLJLUf9snBS4csPYae6qfzsAA:gEgryhhUF54clNf7sB

Score

10^/10

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2208-0-0x0000000000980000-0x0000000000A18000-memory.dmp	family_echelon
behavioral1/memory/2208-2-0x000000001AE40000-0x000000001AEC0000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
4 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe

description pid process

Token: SeDebugPrivilege 2208 84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe

flow	ioc
5	api.ipify.org
4	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	2208	84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe

description	pid	process	target process
PID 2208 wrote to memory of 2748	2208	84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe	WerFault.exe
PID 2208 wrote to memory of 2748	2208	84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe	WerFault.exe
PID 2208 wrote to memory of 2748	2208	84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe
"C:\Users\Admin\AppData\Local\Temp\84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2208 -s 1300
  2⤵
  PID:2748

memory/2208-0-0x0000000000980000-0x0000000000A18000-memory.dmp

Filesize
608KB

Download
memory/2208-1-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-2-0x000000001AE40000-0x000000001AEC0000-memory.dmp

Filesize
512KB

Download
memory/2208-3-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download