echelon | f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889

General

Target

f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe
Size

978KB
MD5

6e8498b91bf1a607f76bc04b2ad2fa70
SHA1

95e1904c2f67cd364b8b386e5ccdd33edcd4955c
SHA256

f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889
SHA512

00553a4611ec8badd707471ca53cebdc6cb876043a2e52522fb058369c228cfcf9fadb105795177bec50cc181c54879ab3cab74009ed2828ea96268c3dbcd172

Score

10^/10

echelon discovery spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Executes dropped EXE 1 IoCs

Processes:

Decoder.exe

pid process

3476 Decoder.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 api.ipify.org
10 ip-api.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1632 3476 WerFault.exe Decoder.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

796 timeout.exe
1608 timeout.exe

yara_rule
echelon_log_file

pid	process
3476	Decoder.exe

flow	ioc
6	api.ipify.org
7	api.ipify.org
10	ip-api.com

pid	pid_target	process	target process
1632	3476	WerFault.exe	Decoder.exe

pid	process
796	timeout.exe
1608	timeout.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exeWerFault.exe

pid	process
3988	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe
3988	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3988	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe
Token: SeRestorePrivilege	1632	WerFault.exe
Token: SeBackupPrivilege	1632	WerFault.exe
Token: SeDebugPrivilege	1632	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.execmd.execmd.exe

description	pid	process	target process
PID 3988 wrote to memory of 3280	3988	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 3988 wrote to memory of 3280	3988	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 3988 wrote to memory of 3708	3988	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 3988 wrote to memory of 3708	3988	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 3280 wrote to memory of 796	3280	cmd.exe	timeout.exe
PID 3280 wrote to memory of 796	3280	cmd.exe	timeout.exe
PID 3708 wrote to memory of 1608	3708	cmd.exe	timeout.exe
PID 3708 wrote to memory of 1608	3708	cmd.exe	timeout.exe
PID 3280 wrote to memory of 3476	3280	cmd.exe	Decoder.exe
PID 3280 wrote to memory of 3476	3280	cmd.exe	Decoder.exe
PID 3280 wrote to memory of 3476	3280	cmd.exe	Decoder.exe

C:\Users\Admin\AppData\Local\Temp\f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe
"C:\Users\Admin\AppData\Local\Temp\f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:796

C:\Users\Admin\AppData\Local\Temp\Decoder.exe
"C:\Users\Admin\AppData\Local\Temp\\\Decoder.exe"
3⤵
- Executes dropped EXE
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 796
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2502.tmp.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
9f3bfaf16ddc6ef0e164ff718feaa75c

SHA1
b5ea860963f06f503dcaf8e7ee03b29237ace64f

SHA256
02d917932135b74c6e275f4e4d6626d14ce4f05957f8d0c2d81fe50c13836d40

SHA512
3c32d2fdb75c526ce7853936cc89efa61eb77ad95112cb19ab519da29b0211717f36bcb3d8928e5dca7e296c9b542537cce316c4e011ed357681a081fefac9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2502.tmp.cmd
MD5
4e7b66287ed2c1d6805f683005c4b06a

SHA1
30b2ed9f3e94b94888b34140ee21114ec2fefc38

SHA256
4b3e1bb11d104b8f66814cb69e1eb987926d5b787c51d25e8fb3a852030fa893

SHA512
997718718b825f11d60afca41f472d554a8160e42a6c21cec01e026338b1e6dc4ef4597b110b3d2d6e8c4cce9b0efaf54eec3c004ef8ec6541908b7ca07af2a3

Download Submit
memory/796-7-0x0000000000000000-mapping.dmp

Download
memory/1608-9-0x0000000000000000-mapping.dmp

Download
memory/1632-23-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/1632-17-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/3280-4-0x0000000000000000-mapping.dmp

Download
memory/3476-18-0x0000000000000000-mapping.dmp

Download
memory/3476-10-0x0000000000000000-mapping.dmp

Download
memory/3476-15-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3476-14-0x00000000738E0000-0x0000000073FCE000-memory.dmp

Filesize
6.9MB

Download
memory/3476-19-0x0000000000000000-mapping.dmp

Download
memory/3476-20-0x0000000000000000-mapping.dmp

Download
memory/3476-21-0x0000000000000000-mapping.dmp

Download
memory/3476-22-0x0000000000000000-mapping.dmp

Download
memory/3476-11-0x0000000000000000-mapping.dmp

Download
memory/3708-5-0x0000000000000000-mapping.dmp

Download
memory/3988-0-0x00007FFCC0C10000-0x00007FFCC15FC000-memory.dmp

Filesize
9.9MB

Download
memory/3988-1-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3988-3-0x000000001B7E0000-0x000000001B850000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads