echelon | 3ccfba4ea524addfcbe7be67231761b6c066e030d25a5ad45d2d20a8d8deb1d1

General

Target

paulo.exe
Size

2.3MB
MD5

550b37b4d263f0fcb4e16f999e19a7f8
SHA1

e8598cadf6dc079756ff7e322092c540711c34cc
SHA256

3ccfba4ea524addfcbe7be67231761b6c066e030d25a5ad45d2d20a8d8deb1d1
SHA512

bb38ccc6be0286dbe3b84d87274013d722a4a40802021f4712f4e5c2787d1e08275ac15e1a1c8dfda6867d7f8fb7c3003939d66158a6b4ddb8c13dc05915504b

Score

10^/10

echelon agilenet spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Loads dropped DLL 1 IoCs

Processes:

paulo.exe

pid process

3832 paulo.exe

pid	process
3832	paulo.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3832-3-0x00000000029C0000-0x00000000029DC000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

paulo.exe

pid	process
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

paulo.exe

description pid process target process

PID 3832 set thread context of 3964 3832 paulo.exe paulo.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1104 3964 WerFault.exe paulo.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

paulo.exepaulo.exe

pid process

3832 paulo.exe
3832 paulo.exe
3832 paulo.exe
3964 paulo.exe
3964 paulo.exe
3964 paulo.exe
3964 paulo.exe
3964 paulo.exe
3964 paulo.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

paulo.exepaulo.exe

description pid process

Token: SeDebugPrivilege 3832 paulo.exe
Token: SeDebugPrivilege 3964 paulo.exe

description	pid	process	target process
PID 3832 set thread context of 3964	3832	paulo.exe	paulo.exe

pid	pid_target	process	target process
1104	3964	WerFault.exe	paulo.exe

pid	process
3832	paulo.exe
3832	paulo.exe
3832	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe
3964	paulo.exe

description	pid	process
Token: SeDebugPrivilege	3832	paulo.exe
Token: SeDebugPrivilege	3964	paulo.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

paulo.exe

description	pid	process	target process
PID 3832 wrote to memory of 3964	3832	paulo.exe	paulo.exe
PID 3832 wrote to memory of 3964	3832	paulo.exe	paulo.exe
PID 3832 wrote to memory of 3964	3832	paulo.exe	paulo.exe
PID 3832 wrote to memory of 3964	3832	paulo.exe	paulo.exe
PID 3832 wrote to memory of 3964	3832	paulo.exe	paulo.exe
PID 3832 wrote to memory of 3964	3832	paulo.exe	paulo.exe
PID 3832 wrote to memory of 3964	3832	paulo.exe	paulo.exe
PID 3832 wrote to memory of 3964	3832	paulo.exe	paulo.exe

C:\Users\Admin\AppData\Local\Temp\paulo.exe
"C:\Users\Admin\AppData\Local\Temp\paulo.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\paulo.exe
"C:\Users\Admin\AppData\Local\Temp\paulo.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 2080
3⤵
- Program crash
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\paulo.exe.log
MD5
63db74a42ad0abb6f3c10a9df7f78372

SHA1
9647fce4693547193c6b7e7eb043f1cebefe8b9d

SHA256
7fd87322db6af9a75d73d7b895e1d3077faaf11e1bfcc236f60a280900dae057

SHA512
ca3c8730d856943a8d778c72e32fc4558009bff77159e657ac51625bb1eff0798d416e957e4813b61e622af62c704231280558fe3478d0fb1e3c8d943771cc66

Download Submit
\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/3832-7-0x0000000005790000-0x0000000005793000-memory.dmp

Filesize
12KB

Download
memory/3832-3-0x00000000029C0000-0x00000000029DC000-memory.dmp

Filesize
112KB

Download
memory/3832-5-0x0000000005ED0000-0x0000000005ED1000-memory.dmp

Filesize
4KB

Download
memory/3832-6-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/3832-0-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download
memory/3832-1-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3964-9-0x000000000052CCD2-mapping.dmp

Download
memory/3964-11-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download
memory/3964-12-0x0000000000700000-0x0000000000832000-memory.dmp

Filesize
1.2MB

Download
memory/3964-14-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/3964-15-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/3964-16-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/3964-17-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads