Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 01:38
Behavioral task
behavioral1
Sample
8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe
Resource
win10v2004-20240508-en
General
-
Target
8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe
-
Size
592KB
-
MD5
4adf2dcdd159d53b5b783534fe72ab9e
-
SHA1
9b06ed6123769b99fb9367162df0de08af72d280
-
SHA256
8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458
-
SHA512
8056de9abf8a9d9329f0b6e2d324049e6c30770c4073e5cd515a10f73e85ee11c47dda93625cba203d0af633c8be5adffdb289eeb657212e8112ee1d629f6e6c
-
SSDEEP
12288:QPWs8S7TzZLJLUf9snBS4csPYae6qfzIAA:87TzhhUF54clNf7IB
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral2/memory/3012-1-0x0000022EEBFC0000-0x0000022EEC05A000-memory.dmp family_echelon -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 7 api.ipify.org 33 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3012 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe 3012 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3012 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe"C:\Users\Admin\AppData\Local\Temp\8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3012