echelon | e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b

General

Target

Moist.exe
Size

814KB
MD5

f855dffcbd21d4e4a59eed5a7a392af9
SHA1

178dc356191ebca6bf294525183212ac2e5a0bd8
SHA256

e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b
SHA512

0a08d1242a13c85f0f88ef54b77400da1a5c20570163635274ab9f63514e4b8b46a912dab28e3cc8a25963e39ade97b6310437587475893ff4935b4819c8ffbc

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Executes dropped EXE 2 IoCs

Processes:

Clipper.exeClipper.exe

pid process

3952 Clipper.exe
2164 Clipper.exe

pid	process
3952	Clipper.exe
2164	Clipper.exe

Drops startup file 2 IoCs

Processes:

Clipper.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	Clipper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	Clipper.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org
14 api.ipify.org
15 ip-api.com

flow	ioc
13	api.ipify.org
14	api.ipify.org
15	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

Moist.exeClipper.exe

description	pid	process	target process
PID 3816 set thread context of 8	3816	Moist.exe	regasm.exe
PID 3952 set thread context of 2164	3952	Clipper.exe	Clipper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2184 timeout.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Moist.exeClipper.exeregasm.exe

pid process

3816 Moist.exe
3816 Moist.exe
3816 Moist.exe
3816 Moist.exe
3952 Clipper.exe
3952 Clipper.exe
8 regasm.exe
8 regasm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Moist.exeClipper.exeregasm.exe

description pid process

Token: SeDebugPrivilege 3816 Moist.exe
Token: SeDebugPrivilege 3952 Clipper.exe
Token: SeDebugPrivilege 8 regasm.exe

pid	process
2184	timeout.exe

pid	process
3816	Moist.exe
3816	Moist.exe
3816	Moist.exe
3816	Moist.exe
3952	Clipper.exe
3952	Clipper.exe
8	regasm.exe
8	regasm.exe

description	pid	process
Token: SeDebugPrivilege	3816	Moist.exe
Token: SeDebugPrivilege	3952	Clipper.exe
Token: SeDebugPrivilege	8	regasm.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Moist.exeClipper.exeregasm.execmd.exe

description	pid	process	target process
PID 3816 wrote to memory of 3932	3816	Moist.exe	Moist.exe
PID 3816 wrote to memory of 3932	3816	Moist.exe	Moist.exe
PID 3816 wrote to memory of 3932	3816	Moist.exe	Moist.exe
PID 3816 wrote to memory of 3952	3816	Moist.exe	Clipper.exe
PID 3816 wrote to memory of 3952	3816	Moist.exe	Clipper.exe
PID 3816 wrote to memory of 3952	3816	Moist.exe	Clipper.exe
PID 3816 wrote to memory of 8	3816	Moist.exe	regasm.exe
PID 3816 wrote to memory of 8	3816	Moist.exe	regasm.exe
PID 3816 wrote to memory of 8	3816	Moist.exe	regasm.exe
PID 3816 wrote to memory of 8	3816	Moist.exe	regasm.exe
PID 3816 wrote to memory of 8	3816	Moist.exe	regasm.exe
PID 3816 wrote to memory of 8	3816	Moist.exe	regasm.exe
PID 3816 wrote to memory of 8	3816	Moist.exe	regasm.exe
PID 3816 wrote to memory of 8	3816	Moist.exe	regasm.exe
PID 3816 wrote to memory of 8	3816	Moist.exe	regasm.exe
PID 3952 wrote to memory of 2164	3952	Clipper.exe	Clipper.exe
PID 3952 wrote to memory of 2164	3952	Clipper.exe	Clipper.exe
PID 3952 wrote to memory of 2164	3952	Clipper.exe	Clipper.exe
PID 3952 wrote to memory of 2164	3952	Clipper.exe	Clipper.exe
PID 3952 wrote to memory of 2164	3952	Clipper.exe	Clipper.exe
PID 3952 wrote to memory of 2164	3952	Clipper.exe	Clipper.exe
PID 3952 wrote to memory of 2164	3952	Clipper.exe	Clipper.exe
PID 3952 wrote to memory of 2164	3952	Clipper.exe	Clipper.exe
PID 3952 wrote to memory of 2164	3952	Clipper.exe	Clipper.exe
PID 8 wrote to memory of 2644	8	regasm.exe	cmd.exe
PID 8 wrote to memory of 2644	8	regasm.exe	cmd.exe
PID 8 wrote to memory of 2644	8	regasm.exe	cmd.exe
PID 2644 wrote to memory of 2184	2644	cmd.exe	timeout.exe
PID 2644 wrote to memory of 2184	2644	cmd.exe	timeout.exe
PID 2644 wrote to memory of 2184	2644	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Moist.exe
"C:\Users\Admin\AppData\Local\Temp\Moist.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\Moist.exe
"C:\Users\Admin\AppData\Local\Temp\Moist.exe"
2⤵
PID:3932

C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
"C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
"C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"
3⤵
- Executes dropped EXE
- Drops startup file
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA1AF.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:2184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA1AF.tmp.bat
MD5
6b462f7aaea8175ffecaebed7f7484d9

SHA1
81b9d8702e23fa5614ae20944c6268f863f66636

SHA256
7d5c9427277aaee3464f3f7675beb77732a4710bb06cb5f247b867022a0ecca9

SHA512
b68f3466d74444a4bbda183750fdd1bc472acd78abf19eb06a82563be3f101bffb1659c765dac3aa6e7599b85594a653083c6c73d375fa839cf1f39e12d6ac38

Download Submit
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
memory/8-24-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/8-20-0x00000000004A110E-mapping.dmp

Download
memory/8-19-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/8-36-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/8-35-0x0000000005E90000-0x0000000005F00000-memory.dmp

Filesize
448KB

Download
memory/8-21-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-30-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2164-28-0x000000000040D54E-mapping.dmp

Download
memory/2184-41-0x0000000000000000-mapping.dmp

Download
memory/2644-39-0x0000000000000000-mapping.dmp

Download
memory/3816-7-0x0000000005500000-0x0000000005505000-memory.dmp

Filesize
20KB

Download
memory/3816-0-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/3816-6-0x00000000053C0000-0x00000000053C4000-memory.dmp

Filesize
16KB

Download
memory/3816-5-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/3816-4-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3816-3-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/3816-1-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3952-18-0x0000000005590000-0x0000000005594000-memory.dmp

Filesize
16KB

Download
memory/3952-25-0x00000000055C0000-0x00000000055C5000-memory.dmp

Filesize
20KB

Download
memory/3952-13-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3952-12-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/3952-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads