Overview

overview

10

Static

static

3

EpsilonClassic.exe

windows7-x64

10

EpsilonClassic.exe

windows10-2004-x64

10

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

EpsilonClassic.exe

windows7-x64

10

EpsilonClassic.exe

windows10-2004-x64

10

LICENSES.c...m.html

windows7-x64

1

LICENSES.c...m.html

windows10-2004-x64

1

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/elevate.exe

windows7-x64

1

resources/elevate.exe

windows10-2004-x64

1

swiftshade...GL.dll

windows7-x64

1

swiftshade...GL.dll

windows10-2004-x64

1

swiftshade...v2.dll

windows7-x64

1

swiftshade...v2.dll

windows10-2004-x64

1

vk_swiftshader.dll

windows7-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows7-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

demo/CMakeLists.vbs

windows7-x64

1

demo/CMakeLists.vbs

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2024 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EpsilonClassic.exe

  • Size

    140.1MB

  • MD5

    d60aed1b86f5ce34c81ffacaf4c2635a

  • SHA1

    f0caed459f1c85f653d11cf4510d0f3cf9b82179

  • SHA256

    532b43f7e8e9f89b203e8198792383395b9e47767db0e5d91779d918722a710f

  • SHA512

    01f789d5ac3526a73b578ed559109eb26df543f7ce45c9b0a41803c929b5cb3db392c324cd1ad0da059e919b6ca5d3785801836f39e164eec81a463ac09bf98a

  • SSDEEP

    1572864:42Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:/aodJFek8+k

Score
10/10
epsilonspywarestealer

Malware Config

Signatures

  • Epsilon Stealer

    Information stealer.

    stealerepsilon
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe
    "C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe
      "C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonClassic" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1192,i,15309720261026751227,13066986740390779511,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:2540
      • C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe
        "C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonClassic" --mojo-platform-channel-handle=1420 --field-trial-handle=1192,i,15309720261026751227,13066986740390779511,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
          PID:2904
        • C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe
          "C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonClassic" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1640 --field-trial-handle=1192,i,15309720261026751227,13066986740390779511,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
          2⤵
          • Checks computer location settings
          PID:2648
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryla\WinSCP 2\Sessions"
          2⤵
            PID:2300
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "tasklist"
            2⤵
              PID:1016
              • C:\Windows\system32\tasklist.exe
                tasklist
                3⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2816
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "tasklist"
              2⤵
                PID:1312
                • C:\Windows\system32\tasklist.exe
                  tasklist
                  3⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:900
              • C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe
                "C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonClassic" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1212 --field-trial-handle=1192,i,15309720261026751227,13066986740390779511,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                2⤵
                  PID:2396

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Autofill Data\All Autofill Data.txt
                Filesize

                231B

                MD5

                dec2be4f1ec3592cea668aa279e7cc9b

                SHA1

                327cf8ab0c895e10674e00ea7f437784bb11d718

                SHA256

                753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

                SHA512

                81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

                Download Submit

              • C:\Users\Admin\AppData\Roaming\EpsilonClassic\Local Storage\leveldb\CURRENT~RFf78c246.TMP
                Filesize

                16B

                MD5

                46295cac801e5d4857d09837238a6394

                SHA1

                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                SHA256

                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                SHA512

                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                Download Submit

              • \Users\Admin\AppData\Local\Temp\37db3139-1ba4-4390-aab3-ec43a0ae6e16.tmp.node
                Filesize

                2.6MB

                MD5

                083fd9f2e3e93e1f2c599a2b609c9e5e

                SHA1

                6db2b6ce3e60d828ca32a6000c270c09224f3139

                SHA256

                5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd

                SHA512

                08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

                Download Submit

              • \Users\Admin\AppData\Local\Temp\dd0b9281-cf47-4838-8e9e-f15f27077e63.tmp.node
                Filesize

                642KB

                MD5

                ab4a1c882f829aaeb65be643caa4e88a

                SHA1

                a5ebfe571aa30feae9ff52cbf18f7b0ae3cccb12

                SHA256

                9e29441fc2b83a9f2457f7e4e4c829970883b34a891533228c85fdff3e703db8

                SHA512

                548055c6eaddaf2aa66abc53ede4e311aa942d2d33ee6bf47e694e32b4c54bde73322f5d88b3192fde4f9226f265dd0d156573b2434ace8af5d6e36af182a880

                Download Submit

              • memory/2540-5-0x0000000000060000-0x0000000000061000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2540-35-0x0000000077600000-0x0000000077601000-memory.dmp

                Filesize

                4KB

                Download