Analysis
-
max time kernel
18s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 19:36
Behavioral task
behavioral1
Sample
Echelon.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
60 seconds
Behavioral task
behavioral2
Sample
Echelon.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
60 seconds
General
-
Target
Echelon.exe
-
Size
778KB
-
MD5
76af6669d9635ffe4fdbf97af1a57fa6
-
SHA1
d3cba94b74f67e8d98cfa89209748ea2701bef80
-
SHA256
cab5dcf0af0ee68bc7113ab59e08ef43f2a62c8538afb2d96e154fc6fd19b9f0
-
SHA512
11fc1464800a4481865649cd71815f8d5be79d28bf36e6d56ffac65ce9564e346b22f73e8f0404efba5687e2291a4530f4ff125e580b2f62ec377a2c2bf743e7
-
SSDEEP
24576:9FYpeHEsokNLQyhFoVdJOlc8msV0EWRr:6ASumJmc8mW0d
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/1964-1-0x0000000000220000-0x00000000002E8000-memory.dmp family_echelon -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1964 Echelon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1804 1964 Echelon.exe 31 PID 1964 wrote to memory of 1804 1964 Echelon.exe 31 PID 1964 wrote to memory of 1804 1964 Echelon.exe 31