echelon | c82f559937fdd6cafdb5e32217ee6fb571c165759397c507cc8af248b337edb6

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 00:17

Target

StealerSS.exe
Size

1.0MB
MD5

bdad088bc08af6ba5fcd5fb7e6955e68
SHA1

f6d233b34a0a9be3a58b0cc60f9ba36c2a44158b
SHA256

c82f559937fdd6cafdb5e32217ee6fb571c165759397c507cc8af248b337edb6
SHA512

c539ecc5a16d0a08858bf79eb1ea8d1b7fcf2b6e9eb1c8fea545d2cc9bdea8676a9690dbffffaf82d6d95649590bff8a67c49ed81920ea8a68b177fe9f9fd9ac
SSDEEP

24576:0NRHGhhUF54clNf7+6uHAW92zt/sWu2BSMCqD8kUJ:0Nqo54clgLH+tkWJ0ZzJ

Score

10^/10

Detects Echelon Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/2988-1-0x00000000011A0000-0x00000000012A6000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon family
echelon

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
4	api.ipify.org

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	StealerSS.exe

C:\Users\Admin\AppData\Local\Temp\StealerSS.exe
"C:\Users\Admin\AppData\Local\Temp\StealerSS.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

memory/2988-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/2988-1-0x00000000011A0000-0x00000000012A6000-memory.dmp

Filesize
1.0MB

Download
memory/2988-2-0x0000000000CB0000-0x0000000000D26000-memory.dmp

Filesize
472KB

Download
memory/2988-3-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-4-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download