echelon | 861878b319e66fd632f7d7623f0b56028f18d1e315680a15fc161a451ac9c788

General

Target

DataStealer from 1_2.exe
Size

1.2MB
MD5

7dba2e8ecbad5b33646e03a4af78967a
SHA1

f538fe80f76330e7d548e4f9b5171a56116d8e5e
SHA256

861878b319e66fd632f7d7623f0b56028f18d1e315680a15fc161a451ac9c788
SHA512

b6a5e07b0227a6acecfba1917de66099e42c69632333e49f75b4c8d8191cb268bea4c751be2afd763089ea205083a35cf6c2b8c15de02e3564a842d5c3d8d1c6

Score

10^/10

spyware discovery stealer echelon

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DataStealer from 1_2.exe

description pid process

Token: SeDebugPrivilege 900 DataStealer from 1_2.exe

description	pid	process
Token: SeDebugPrivilege	900	DataStealer from 1_2.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

DataStealer from 1_2.exe

pid	process
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
8 ip-api.com
10 api.ipify.org
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

flow	ioc
4	api.ipify.org
5	api.ipify.org
8	ip-api.com
10	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

DataStealer from 1_2.exe

pid	process
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe
900	DataStealer from 1_2.exe

Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

yara_rule
echelon_log_file

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

DataStealer from 1_2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	DataStealer from 1_2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a11800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	DataStealer from 1_2.exe

C:\Users\Admin\AppData\Local\Temp\DataStealer from 1_2.exe
"C:\Users\Admin\AppData\Local\Temp\DataStealer from 1_2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:900