echelon | f440c2cc4fc3168c939310c4e90b80d980a4a0d6a42f0596d2676461b02d11e2

General

Target

Mist.Buld.exe
Size

391KB
MD5

51083ffcc13fc386b68eaa8117f48a55
SHA1

c5a7098f15174be421498cede6c8df8819e98540
SHA256

f440c2cc4fc3168c939310c4e90b80d980a4a0d6a42f0596d2676461b02d11e2
SHA512

81119315b4d36283d283e2e8cc1b2f59f4a72ac921fa32707fc00cc636c73e324554bcbc92847c3d5b1dea3fa6fcca3c093074be4b7f56e6c4213238a7ad2d89

Score

10^/10

echelon discovery spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 2 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
echelon_log_file
Executes dropped EXE 1 IoCs

Processes:

systems32.exe

pid process

3860 systems32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 api.ipify.org
17 ip-api.com
26 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4000 schtasks.exe
3596 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Mist.Buld.exesystems32.exe

pid process

576 Mist.Buld.exe
576 Mist.Buld.exe
3860 systems32.exe
3860 systems32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Mist.Buld.exesystems32.exe

description pid process

Token: SeDebugPrivilege 576 Mist.Buld.exe
Token: SeDebugPrivilege 3860 systems32.exe

yara_rule
echelon_log_file
echelon_log_file

pid	process
3860	systems32.exe

flow	ioc
6	api.ipify.org
7	api.ipify.org
17	ip-api.com
26	api.ipify.org

pid	process
4000	schtasks.exe
3596	schtasks.exe

pid	process
576	Mist.Buld.exe
576	Mist.Buld.exe
3860	systems32.exe
3860	systems32.exe

description	pid	process
Token: SeDebugPrivilege	576	Mist.Buld.exe
Token: SeDebugPrivilege	3860	systems32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Mist.Buld.exesystems32.exe

description	pid	process	target process
PID 576 wrote to memory of 4000	576	Mist.Buld.exe	schtasks.exe
PID 576 wrote to memory of 4000	576	Mist.Buld.exe	schtasks.exe
PID 3860 wrote to memory of 3596	3860	systems32.exe	schtasks.exe
PID 3860 wrote to memory of 3596	3860	systems32.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Mist.Buld.exe
"C:\Users\Admin\AppData\Local\Temp\Mist.Buld.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe" /f
2⤵
- Creates scheduled task(s)
PID:4000

C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe
C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe" /f
2⤵
- Creates scheduled task(s)
PID:3596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe
MD5
51083ffcc13fc386b68eaa8117f48a55

SHA1
c5a7098f15174be421498cede6c8df8819e98540

SHA256
f440c2cc4fc3168c939310c4e90b80d980a4a0d6a42f0596d2676461b02d11e2

SHA512
81119315b4d36283d283e2e8cc1b2f59f4a72ac921fa32707fc00cc636c73e324554bcbc92847c3d5b1dea3fa6fcca3c093074be4b7f56e6c4213238a7ad2d89

Download Submit
C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe
MD5
51083ffcc13fc386b68eaa8117f48a55

SHA1
c5a7098f15174be421498cede6c8df8819e98540

SHA256
f440c2cc4fc3168c939310c4e90b80d980a4a0d6a42f0596d2676461b02d11e2

SHA512
81119315b4d36283d283e2e8cc1b2f59f4a72ac921fa32707fc00cc636c73e324554bcbc92847c3d5b1dea3fa6fcca3c093074be4b7f56e6c4213238a7ad2d89

Download Submit
memory/576-0-0x00007FFC354A0000-0x00007FFC35E8C000-memory.dmp

Filesize
9.9MB

Download
memory/576-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/576-3-0x0000000002280000-0x0000000002315000-memory.dmp

Filesize
596KB

Download
memory/576-4-0x0000000002BE0000-0x0000000002C50000-memory.dmp

Filesize
448KB

Download
memory/3596-13-0x0000000000000000-mapping.dmp

Download
memory/3860-8-0x00007FFC354A0000-0x00007FFC35E8C000-memory.dmp

Filesize
9.9MB

Download
memory/4000-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads