echelon | e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b

General

Target

Moist.exe
Size

814KB
MD5

f855dffcbd21d4e4a59eed5a7a392af9
SHA1

178dc356191ebca6bf294525183212ac2e5a0bd8
SHA256

e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b
SHA512

0a08d1242a13c85f0f88ef54b77400da1a5c20570163635274ab9f63514e4b8b46a912dab28e3cc8a25963e39ade97b6310437587475893ff4935b4819c8ffbc

Score

10^/10

echelon discovery spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Executes dropped EXE 2 IoCs

Processes:

Clipper.exeClipper.exe

pid process

412 Clipper.exe
4044 Clipper.exe

pid	process
412	Clipper.exe
4044	Clipper.exe

Drops startup file 2 IoCs

Processes:

Clipper.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	Clipper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	Clipper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.ipify.org
11 api.ipify.org
12 ip-api.com

flow	ioc
10	api.ipify.org
11	api.ipify.org
12	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

Moist.exeClipper.exe

description	pid	process	target process
PID 728 set thread context of 1852	728	Moist.exe	Moist.exe
PID 412 set thread context of 4044	412	Clipper.exe	Clipper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1232 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Moist.exeClipper.exeMoist.exe

pid process

728 Moist.exe
728 Moist.exe
412 Clipper.exe
412 Clipper.exe
1852 Moist.exe
1852 Moist.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Moist.exeMoist.exeClipper.exe

description pid process

Token: SeDebugPrivilege 728 Moist.exe
Token: SeDebugPrivilege 1852 Moist.exe
Token: SeDebugPrivilege 412 Clipper.exe

pid	process
1232	timeout.exe

pid	process
728	Moist.exe
728	Moist.exe
412	Clipper.exe
412	Clipper.exe
1852	Moist.exe
1852	Moist.exe

description	pid	process
Token: SeDebugPrivilege	728	Moist.exe
Token: SeDebugPrivilege	1852	Moist.exe
Token: SeDebugPrivilege	412	Clipper.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Moist.exeClipper.exeMoist.execmd.exe

description	pid	process	target process
PID 728 wrote to memory of 1852	728	Moist.exe	Moist.exe
PID 728 wrote to memory of 1852	728	Moist.exe	Moist.exe
PID 728 wrote to memory of 1852	728	Moist.exe	Moist.exe
PID 728 wrote to memory of 1852	728	Moist.exe	Moist.exe
PID 728 wrote to memory of 1852	728	Moist.exe	Moist.exe
PID 728 wrote to memory of 1852	728	Moist.exe	Moist.exe
PID 728 wrote to memory of 1852	728	Moist.exe	Moist.exe
PID 728 wrote to memory of 1852	728	Moist.exe	Moist.exe
PID 728 wrote to memory of 1852	728	Moist.exe	Moist.exe
PID 728 wrote to memory of 412	728	Moist.exe	Clipper.exe
PID 728 wrote to memory of 412	728	Moist.exe	Clipper.exe
PID 728 wrote to memory of 412	728	Moist.exe	Clipper.exe
PID 412 wrote to memory of 4044	412	Clipper.exe	Clipper.exe
PID 412 wrote to memory of 4044	412	Clipper.exe	Clipper.exe
PID 412 wrote to memory of 4044	412	Clipper.exe	Clipper.exe
PID 412 wrote to memory of 4044	412	Clipper.exe	Clipper.exe
PID 412 wrote to memory of 4044	412	Clipper.exe	Clipper.exe
PID 412 wrote to memory of 4044	412	Clipper.exe	Clipper.exe
PID 412 wrote to memory of 4044	412	Clipper.exe	Clipper.exe
PID 412 wrote to memory of 4044	412	Clipper.exe	Clipper.exe
PID 412 wrote to memory of 4044	412	Clipper.exe	Clipper.exe
PID 1852 wrote to memory of 4092	1852	Moist.exe	cmd.exe
PID 1852 wrote to memory of 4092	1852	Moist.exe	cmd.exe
PID 1852 wrote to memory of 4092	1852	Moist.exe	cmd.exe
PID 4092 wrote to memory of 1232	4092	cmd.exe	timeout.exe
PID 4092 wrote to memory of 1232	4092	cmd.exe	timeout.exe
PID 4092 wrote to memory of 1232	4092	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Moist.exe
"C:\Users\Admin\AppData\Local\Temp\Moist.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\Moist.exe
"C:\Users\Admin\AppData\Local\Temp\Moist.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp50FF.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:1232

C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
"C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
"C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"
3⤵
- Executes dropped EXE
- Drops startup file
PID:4044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Moist.exe.log
MD5
7a98b05029871a0e5f2f2a1af2d253a1

SHA1
287ee1c3381286b093f6711851f696530fb45004

SHA256
58f3ba36a56ce50b485f008fd9de28cfac838c8d800c196dfde1267ec4324e77

SHA512
d4c7de41c70e634d812247b8812374ba4375cd778fd017145b63b323786c9d82580d344efbcee589cfb7f4f9068c0083a59a3edee6835decdf052e5555733bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50FF.tmp.bat
MD5
8958a396d9656251ccd7b96838b9e9f3

SHA1
3dc29ac9f55c7fd0f7d71a71eaec51c97dc6a401

SHA256
bed65f6aacd36099302bc2c6bb05c4f58c2f1fafaf544f0c4bcf0b84765b53ce

SHA512
bd5085eb5a8f10a7b5864213dc35c387af37e50a2b2a6900d2e902912a4a8626baa5d4da94107a5dbb1c92e3ad8ebaa666f934d572b99e713c6e5436083408eb

Download Submit
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
memory/412-27-0x00000000054A0000-0x00000000054A5000-memory.dmp

Filesize
20KB

Download
memory/412-25-0x0000000005290000-0x0000000005294000-memory.dmp

Filesize
16KB

Download
memory/412-14-0x0000000000000000-mapping.dmp

Download
memory/412-19-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/412-18-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/728-7-0x00000000059B0000-0x00000000059B5000-memory.dmp

Filesize
20KB

Download
memory/728-1-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/728-6-0x00000000050E0000-0x00000000050E4000-memory.dmp

Filesize
16KB

Download
memory/728-4-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/728-0-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/728-3-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/728-5-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/1232-41-0x0000000000000000-mapping.dmp

Download
memory/1852-9-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1852-26-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/1852-24-0x0000000006350000-0x00000000063C0000-memory.dmp

Filesize
448KB

Download
memory/1852-16-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/1852-11-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/1852-10-0x00000000004A110E-mapping.dmp

Download
memory/4044-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4044-30-0x000000000040D54E-mapping.dmp

Download
memory/4044-32-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/4092-39-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads