MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 973c9fe636b25a342857b8cc93d9631d45c6be479176f9df58db8bfc72cbbbca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
EchelonStealer
Vendor detections: 11
| SHA256 hash: | 973c9fe636b25a342857b8cc93d9631d45c6be479176f9df58db8bfc72cbbbca |
|---|---|
| SHA3-384 hash: | bb41a7a589b9b13f54a11a2b22db8b9f870c44d7653a905f0626df87e0f6290a57543d659eb518f75c30a83bef97259b |
| SHA1 hash: | 650b5204b5e0984dbc777c35f21529b09d0d72c6 |
| MD5 hash: | efde75772e570c878771bc38885762ad |
| humanhash: | east-enemy-robin-eighteen |
| File name: | Lucky Fixed.exe |
| Download: | download sample |
| Signature | EchelonStealer |
| File size: | 1'334'272 bytes |
| First seen: | 2022-04-03 20:29:23 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 24576:oKpvbuhZUTd8hhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRX:TbKo54clgLH+tkWJ0NJ |
| Threatray | 367 similar samples on MalwareBazaar |
| TLSH | T1C255F10433EC4B26E1FF5BB5E0B255A0C3B1B566A92EEB8F5D8464EE1D17350C910BA3 |
| Reporter |  adm1n_usa32 |
| Tags: | EchelonStealer exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Lucky Fixed.exe
Verdict:
Malicious activity
Analysis date:
2022-04-03 20:28:20 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Echelon
Result
Verdict:
Malware
Maliciousness:
Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
anti-vm coinminer grandsteal obfuscated packed replace.exe stealer update.exe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Echelon Stealer
Verdict:
Malicious
Result
Threat name:
Ades Stealer Echelon Stealer
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Contains functionality to capture screen (.Net source)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Ades Stealer
Yara detected Costura Assembly Loader
Yara detected Echelon Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Infostealer.Echelon
Status:
Malicious
First seen:
2021-04-11 07:19:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
34 of 42 (80.95%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 357 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
n/a
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1
MD5 hash:
11bbdf80d756b3a877af483195c60619
SHA1 hash:
99aca4f325d559487abc51b0d2ebd4dca62c9462
SH256 hash:
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b
MD5 hash:
de81e7651c6e62b4c7195ac2e6befbc0
SHA1 hash:
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32
SH256 hash:
973c9fe636b25a342857b8cc93d9631d45c6be479176f9df58db8bfc72cbbbca
MD5 hash:
efde75772e570c878771bc38885762ad
SHA1 hash:
650b5204b5e0984dbc777c35f21529b09d0d72c6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | grakate_stealer_nov_2021 |
|---|
| Rule name: | INDICATOR_EXE_Packed_Fody |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables manipulated with Fody |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing bas64 encoded gzip files |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_VPN |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many VPN software clients. Observed in infosteslers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing Windows vault credential objects. Observed in infostealers |
| Rule name: | malware_Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | MALWARE_Win_Avalon |
|---|---|
| Author: | ditekSHen |
| Description: | Avalon infostealer payload |
| Rule name: | MALWARE_Win_Echelon |
|---|---|
| Author: | ditekSHen |
| Description: | Echelon information stealer payload |
| Rule name: | MAL_Lokibot_Stealer |
|---|---|
| Description: | Detects Lokibot Stealer Variants |
| Rule name: | pe_imphash |
|---|
| Rule name: | Redline_Stealer_Monitor |
|---|---|
| Description: | Detects RedLine Stealer Variants |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.