MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Echelon

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e
SHA3-384 hash:	7089607130d954b0b56cafc18dbecaf5b81eda061020473df0244377114c507cbbb45b24a197bb6d6d1011b2d8449513
SHA1 hash:	32e5ee49475a930da2ffe199be41e7b639d1ae1b
MD5 hash:	1b01af0b820d4c8d3ebe3723cfefc5f8
humanhash:	ten-skylark-batman-wyoming
File name:	NordVPNSetup.exe
Download:	download sample
Signature	Echelon Create hunting rule
File size:	1'132'336 bytes
First seen:	2021-09-07 06:24:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:FJlFQqjI/itY7AnE4le1Qtb37a3/rluBg+VzNnKLY:FJlLSYQa1Fb37aPrMe+qLY
Threatray	231 similar samples on MalwareBazaar
TLSH	T16535E0E67684CB47EA295C70C1DB687863596EEB54B0DA8DFEC4318A0F123313E06D8C
dhash icon	71f0e8ccccd4e871 (1 x Echelon)
Reporter	JAMESWT_WT
Tags:	bitbucket.org Echelon exe

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NordVPNSetup.exe

Verdict:

Malicious activity

Analysis date:

2021-09-07 07:06:32 UTC

Tags:

evasion stealer

Link:

https://app.any.run/tasks/8c596715-b43d-47d9-a39a-7047b4ea8e36

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Echelon

Link:

https://www.capesandbox.com/analysis/185896/

Detection(s):

SecuriteInfo.com.Trojan.PWS.StealerNET.47.24313.24370.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01badd3b-b6f5-4a74-9ebd-ad9abfad7152

Result

Threat name:

Ades Stealer Echelon Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/846421

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Contains functionality to capture screen (.Net source)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Yara detected Ades Stealer

Yara detected Echelon Stealer

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e/

Threat name:

ByteCode-MSIL.Trojan.Perseus

Status:

Malicious

First seen:

2020-09-11 01:15:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 43 (60.47%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5lxdw7zt42am726ky5ruwdvavlx2zblexrigapfzazu2ipmjukpa._file

Verdict:

malicious

Result

Malware family:

echelon

Score:

10/10

Tags:

family:echelon discovery spyware stealer

Link:

https://tria.ge/reports/210907-g6ps6sfcem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

Echelon

Unpacked files

SH256 hash:

4d7851bb977d7bd1d7503e994bc4c4083faa2751f41624237309157b1b88681d

MD5 hash:

60caabbd43235889d64f230617c0e24e

SHA1 hash:

f5f922bd3c69591663187d40ad732c73a5bda290

Link:

https://www.unpac.me/results/17605363-9e74-486e-b7c9-7ebb58f58530/

SH256 hash:

f612199cb05ad652e1ea5fba17bc93e09a44acfb4464880a673e29bd8ab5a1f9

MD5 hash:

120dd02a21093838004e89c301e03d6d

SHA1 hash:

9dfecf63e97a761d35177e0d8ab252a3596da712

Link:

https://www.unpac.me/results/17605363-9e74-486e-b7c9-7ebb58f58530/

SH256 hash:

e388be058eec5efce98b5a7f7ed1ce593aacc738c1e55c2e9a773a1427f58712

MD5 hash:

bb9384c498711337a5cf0fea0439f4a0

SHA1 hash:

6d43ebe26d8e2a87d10f179e73b357f3049ef8f2

Link:

https://www.unpac.me/results/17605363-9e74-486e-b7c9-7ebb58f58530/

SH256 hash:

62ba5a6f2a6eca5b102fa22b4b8a120abbfd782e52d0ba34475b806b2f2ef5e7

MD5 hash:

e6956fc04c71ea8b8fdfc66d4370ae83

SHA1 hash:

55960a0728a3cac5853a02ff982999e4e09f7766

Link:

https://www.unpac.me/results/17605363-9e74-486e-b7c9-7ebb58f58530/

SH256 hash:

858bc452d5d80f927f4c671eeace1803ccf4909da61ddd87c4cc648f7571e2d5

MD5 hash:

0b9340de1080763dfed87b1979c74514

SHA1 hash:

3ee2a62a2b69010d27aea1ff80d86fca3c243ad8

Link:

https://www.unpac.me/results/17605363-9e74-486e-b7c9-7ebb58f58530/

SH256 hash:

eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e

MD5 hash:

1b01af0b820d4c8d3ebe3723cfefc5f8

SHA1 hash:

32e5ee49475a930da2ffe199be41e7b639d1ae1b

Link:

https://www.unpac.me/results/17605363-9e74-486e-b7c9-7ebb58f58530/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/eaee3b7f33e6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Echelon

exe eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/460138/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/185896/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample