echelon | 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 01:38

Target

8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe
Size

592KB
MD5

4adf2dcdd159d53b5b783534fe72ab9e
SHA1

9b06ed6123769b99fb9367162df0de08af72d280
SHA256

8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458
SHA512

8056de9abf8a9d9329f0b6e2d324049e6c30770c4073e5cd515a10f73e85ee11c47dda93625cba203d0af633c8be5adffdb289eeb657212e8112ee1d629f6e6c
SSDEEP

12288:QPWs8S7TzZLJLUf9snBS4csPYae6qfzIAA:87TzhhUF54clNf7IB

Score

10^/10

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2888-1-0x0000000000B00000-0x0000000000B9A000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe

description pid process

Token: SeDebugPrivilege 2888 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	2888	8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe

description	pid	process	target process
PID 2888 wrote to memory of 2088	2888	8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe	WerFault.exe
PID 2888 wrote to memory of 2088	2888	8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe	WerFault.exe
PID 2888 wrote to memory of 2088	2888	8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe
"C:\Users\Admin\AppData\Local\Temp\8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2888 -s 1268
  2⤵
  PID:2088

memory/2888-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000000B00000-0x0000000000B9A000-memory.dmp

Filesize
616KB

Download
memory/2888-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-3-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2888-4-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download