Analysis Overview
SHA256
e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3
Threat Level: Known bad
The file e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe was found to be: Known bad.
Malicious Activity Summary
Echelon family
Echelon
Detects Echelon Stealer payload
Reads user/profile data of web browsers
Looks up external IP address via web service
Unsigned PE
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 08:09
Signatures
Detects Echelon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Echelon family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 08:09
Reported
2024-11-22 08:11
Platform
win7-20241010-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Detects Echelon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Echelon
Echelon family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe
"C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
Files
memory/2580-0-0x000007FEF6BB3000-0x000007FEF6BB4000-memory.dmp
memory/2580-1-0x00000000003D0000-0x00000000004F6000-memory.dmp
memory/2580-2-0x00000000025D0000-0x0000000002646000-memory.dmp
memory/2580-3-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp
memory/2580-4-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 08:09
Reported
2024-11-22 08:11
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
93s
Command Line
Signatures
Detects Echelon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Echelon
Echelon family
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe
"C:\Users\Admin\AppData\Local\Temp\e98261eab9b28563f5cd7628b8c4760106ca8daa8b7270c62dea4280c4b533d3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f0583773.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0583773.xsph.ru | tcp |
| US | 8.8.8.8:53 | 42.197.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.14.97.104.in-addr.arpa | udp |
Files
memory/2780-0-0x00007FFD14343000-0x00007FFD14345000-memory.dmp
memory/2780-1-0x0000000000100000-0x0000000000226000-memory.dmp
memory/2780-2-0x000000001BCB0000-0x000000001BD26000-memory.dmp
memory/2780-3-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp
C:\Users\Admin\AppData\Local\JDTBLu1A76F31633\331A76F316JDTBLu\Browsers\Passwords\Passwords_Edge.txt
| MD5 | ae9fee87cd34e9026867a460c0afd595 |
| SHA1 | d5015017ca1463c434c7f438decfe4a26378d4f1 |
| SHA256 | 2217079fde440a3e8f14398828561c86f9f4f80e6781dd7eef3be8bf0e36caa0 |
| SHA512 | 9b59342c7ac9fc3f9818e2475a78f6827ba62da76f1312dbb4c28f7b23769785e79d61f1f494998194d714d69c6b62de07a3084542f15d51ca0259392280ff2d |
C:\Users\Admin\AppData\Local\JDTBLu1A76F31633\331A76F316JDTBLu\Browsers\Passwords\Passwords_Edge.txt
| MD5 | 42fa959509b3ed7c94c0cf3728b03f6d |
| SHA1 | 661292176640beb0b38dc9e7a462518eb592d27d |
| SHA256 | 870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00 |
| SHA512 | 7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007 |
C:\Users\Admin\AppData\Local\JDTBLu1A76F31633\331A76F316JDTBLu\Grabber\UnregisterLimit.txt
| MD5 | 37babdfe5d304ba15584e3cd38cbfbbe |
| SHA1 | 944553b2ab5caf0f2eb304678b756549fc5c719d |
| SHA256 | 93453d91950d98bc2cc1801b23627fc4f995f57cfc37f61b3eb59c62ca23be2a |
| SHA512 | aa8a6eec851e99fce8fc1db20d6bf6b69b59fe140c1b78c4f7f361f37ef0a7796951df9d71f5390ce81052233e37124c48805de439986d55622ef4ed09c9caa9 |
memory/2780-77-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp