Malware Analysis Report

2024-11-30 05:51

Sample ID 241122-j18p7sxkas
Target e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe
SHA256 e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3
Tags
echelon spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3

Threat Level: Known bad

The file e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe was found to be: Known bad.

Malicious Activity Summary

echelon spyware stealer discovery

Echelon family

Echelon

Detects Echelon Stealer payload

Reads user/profile data of web browsers

Looks up external IP address via web service

Unsigned PE

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 08:09

Signatures

Detects Echelon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Echelon family

echelon

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 08:09

Reported

2024-11-22 08:11

Platform

win7-20241010-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe"

Signatures

Detects Echelon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Echelon

stealer spyware echelon

Echelon family

echelon

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe

"C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp

Files

memory/2580-0-0x000007FEF6BB3000-0x000007FEF6BB4000-memory.dmp

memory/2580-1-0x00000000003D0000-0x00000000004F6000-memory.dmp

memory/2580-2-0x00000000025D0000-0x0000000002646000-memory.dmp

memory/2580-3-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

memory/2580-4-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 08:09

Reported

2024-11-22 08:11

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe"

Signatures

Detects Echelon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Echelon

stealer spyware echelon

Echelon family

echelon

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe

"C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 f0583773.xsph.ru udp
RU 141.8.197.42:80 f0583773.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp

Files

memory/2780-0-0x00007FFD14343000-0x00007FFD14345000-memory.dmp

memory/2780-1-0x0000000000100000-0x0000000000226000-memory.dmp

memory/2780-2-0x000000001BCB0000-0x000000001BD26000-memory.dmp

memory/2780-3-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp

C:\Users\Admin\AppData\Local\JDTBLu1A76F31633\331A76F316JDTBLu\Browsers\Passwords\Passwords_Edge.txt

MD5 ae9fee87cd34e9026867a460c0afd595
SHA1 d5015017ca1463c434c7f438decfe4a26378d4f1
SHA256 2217079fde440a3e8f14398828561c86f9f4f80e6781dd7eef3be8bf0e36caa0
SHA512 9b59342c7ac9fc3f9818e2475a78f6827ba62da76f1312dbb4c28f7b23769785e79d61f1f494998194d714d69c6b62de07a3084542f15d51ca0259392280ff2d

C:\Users\Admin\AppData\Local\JDTBLu1A76F31633\331A76F316JDTBLu\Browsers\Passwords\Passwords_Edge.txt

MD5 42fa959509b3ed7c94c0cf3728b03f6d
SHA1 661292176640beb0b38dc9e7a462518eb592d27d
SHA256 870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00
SHA512 7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

C:\Users\Admin\AppData\Local\JDTBLu1A76F31633\331A76F316JDTBLu\Grabber\UnregisterLimit.txt

MD5 37babdfe5d304ba15584e3cd38cbfbbe
SHA1 944553b2ab5caf0f2eb304678b756549fc5c719d
SHA256 93453d91950d98bc2cc1801b23627fc4f995f57cfc37f61b3eb59c62ca23be2a
SHA512 aa8a6eec851e99fce8fc1db20d6bf6b69b59fe140c1b78c4f7f361f37ef0a7796951df9d71f5390ce81052233e37124c48805de439986d55622ef4ed09c9caa9

memory/2780-77-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp