General

  • Target

    632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe

  • Size

    3.7MB

  • Sample

    240825-a27d4azgnl

  • MD5

    3f6e8330d2fee900c0f62733dd93d9d0

  • SHA1

    3ba73e5b26aa98a99c5ed5fc98807e708c259ff9

  • SHA256

    632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c

  • SHA512

    4e219292e3cfaa834fe4a80219096af1d34d49a844bba7777d8b0d3eb0ed2cbb21a9f4cfc9c4cc140d81422595d0dce0fec8066e3303fafb777123709a9e8c4e

  • SSDEEP

    49152:elBy2uIIBYAU8XF97A8tDTsCKP5RixHcZgCP/8aroBsUsro9H7J7Q:CB5u+Az/88tDTcRYxHcZgy/m2CN

Malware Config

Targets

    • Target

      632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe

    • Size

      3.7MB

    • MD5

      3f6e8330d2fee900c0f62733dd93d9d0

    • SHA1

      3ba73e5b26aa98a99c5ed5fc98807e708c259ff9

    • SHA256

      632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c

    • SHA512

      4e219292e3cfaa834fe4a80219096af1d34d49a844bba7777d8b0d3eb0ed2cbb21a9f4cfc9c4cc140d81422595d0dce0fec8066e3303fafb777123709a9e8c4e

    • SSDEEP

      49152:elBy2uIIBYAU8XF97A8tDTsCKP5RixHcZgCP/8aroBsUsro9H7J7Q:CB5u+Az/88tDTcRYxHcZgy/m2CN

    • Detects Echelon Stealer payload

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks