echelon | 3ccfba4ea524addfcbe7be67231761b6c066e030d25a5ad45d2d20a8d8deb1d1 | Triage

Submit
Reports

Overview

overview

Static

static

paulo.exe

windows7_x64

paulo.exe

windows10_x64

Sharing

General

Target

paulo.exe
Size

2.3MB
Sample

200814-ny4c9zjh4j
MD5

550b37b4d263f0fcb4e16f999e19a7f8
SHA1

e8598cadf6dc079756ff7e322092c540711c34cc
SHA256

3ccfba4ea524addfcbe7be67231761b6c066e030d25a5ad45d2d20a8d8deb1d1
SHA512

bb38ccc6be0286dbe3b84d87274013d722a4a40802021f4712f4e5c2787d1e08275ac15e1a1c8dfda6867d7f8fb7c3003939d66158a6b4ddb8c13dc05915504b

Score

10^/10

echelon agilenet discovery spyware stealer

Static task

static1

keylogger stealer agenttesla

Behavioral task

behavioral1

Sample

paulo.exe

Resource

win7v200722

echelon agilenet discovery spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

paulo.exe

Resource

win10v200722

echelon agilenet spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  paulo.exe
- Size
  
  2.3MB
- MD5
  
  550b37b4d263f0fcb4e16f999e19a7f8
- SHA1
  
  e8598cadf6dc079756ff7e322092c540711c34cc
- SHA256
  
  3ccfba4ea524addfcbe7be67231761b6c066e030d25a5ad45d2d20a8d8deb1d1
- SHA512
  
  bb38ccc6be0286dbe3b84d87274013d722a4a40802021f4712f4e5c2787d1e08275ac15e1a1c8dfda6867d7f8fb7c3003939d66158a6b4ddb8c13dc05915504b
Score

10^/10

echelon agilenet discovery spyware stealer
- Echelon
  Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
  stealer spyware echelon
- Echelon log file
  Detects a log file produced by Echelon.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

keyloggerstealeragenttesla

behavioral1

echelonagilenetdiscoveryspywarestealer

behavioral2

echelonagilenetspywarestealer

© 2018-2024

Terms | Privacy