echelon | 4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 01:10

Target

4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe
Size

581KB
MD5

39c64b7bdf9dd6ddfde23780315058e2
SHA1

a2d9ee67c3f96305477feb0b48e221520c519b6c
SHA256

4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017
SHA512

cad870ca9302a288658882adb9aeb9280ae22790eadb526e31792480fb6d78bdac05d7945e571ac616d632a2641eecd87fd44f3284d55138c4424a378bf3ae75
SSDEEP

12288:6EIV3v4dN7ImqoxwRdwrjZLJLUf9snBS4csPYae6qfzQAA:KkhIarjhhUF54clNf7QB

Score

10^/10

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1580-1-0x0000000000B30000-0x0000000000BC8000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe

description pid process

Token: SeDebugPrivilege 1580 4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe

flow	ioc
4	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	1580	4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe

description	pid	process	target process
PID 1580 wrote to memory of 2764	1580	4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe	WerFault.exe
PID 1580 wrote to memory of 2764	1580	4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe	WerFault.exe
PID 1580 wrote to memory of 2764	1580	4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe
"C:\Users\Admin\AppData\Local\Temp\4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1580 -s 1248
  2⤵
  PID:2764

memory/1580-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/1580-1-0x0000000000B30000-0x0000000000BC8000-memory.dmp

Filesize
608KB

Download
memory/1580-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1580-3-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/1580-4-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download