echelon | c991fe8c6d840624fbf7b46c88514ff6324fea56997929b0a81d97b0f6eb7f88

General

Target

e9232ce72a3cf88a3d1442248275c797.exe
Size

977KB
MD5

e9232ce72a3cf88a3d1442248275c797
SHA1

80ccfcbb63dc194ddf3762aaff2b8c8a6b49fc94
SHA256

c991fe8c6d840624fbf7b46c88514ff6324fea56997929b0a81d97b0f6eb7f88
SHA512

ef8de903636d21bf80e0348c5a703e8c38325fa05fa23851e34a2608cb4d7ad927963d51f09adc5ec9e5c86140f9a4bdb5473181fbdc675510b3133384914feb

Score

10^/10

echelon discovery spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Executes dropped EXE 1 IoCs

Processes:

Decoder.exe

pid process

3896 Decoder.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
6 api.ipify.org
7 api.ipify.org
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

804 3896 WerFault.exe Decoder.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1268 timeout.exe
2360 timeout.exe

yara_rule
echelon_log_file

pid	process
3896	Decoder.exe

flow	ioc
10	ip-api.com
6	api.ipify.org
7	api.ipify.org

pid	pid_target	process	target process
804	3896	WerFault.exe	Decoder.exe

pid	process
1268	timeout.exe
2360	timeout.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

e9232ce72a3cf88a3d1442248275c797.exeWerFault.exe

pid	process
1028	e9232ce72a3cf88a3d1442248275c797.exe
1028	e9232ce72a3cf88a3d1442248275c797.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e9232ce72a3cf88a3d1442248275c797.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1028	e9232ce72a3cf88a3d1442248275c797.exe
Token: SeRestorePrivilege	804	WerFault.exe
Token: SeBackupPrivilege	804	WerFault.exe
Token: SeDebugPrivilege	804	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e9232ce72a3cf88a3d1442248275c797.execmd.execmd.exe

description	pid	process	target process
PID 1028 wrote to memory of 1872	1028	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 1028 wrote to memory of 1872	1028	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 1028 wrote to memory of 2452	1028	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 1028 wrote to memory of 2452	1028	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 1872 wrote to memory of 2360	1872	cmd.exe	timeout.exe
PID 1872 wrote to memory of 2360	1872	cmd.exe	timeout.exe
PID 2452 wrote to memory of 1268	2452	cmd.exe	timeout.exe
PID 2452 wrote to memory of 1268	2452	cmd.exe	timeout.exe
PID 1872 wrote to memory of 3896	1872	cmd.exe	Decoder.exe
PID 1872 wrote to memory of 3896	1872	cmd.exe	Decoder.exe
PID 1872 wrote to memory of 3896	1872	cmd.exe	Decoder.exe

C:\Users\Admin\AppData\Local\Temp\e9232ce72a3cf88a3d1442248275c797.exe
"C:\Users\Admin\AppData\Local\Temp\e9232ce72a3cf88a3d1442248275c797.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:2360

C:\Users\Admin\AppData\Local\Temp\Decoder.exe
"C:\Users\Admin\AppData\Local\Temp\\\Decoder.exe"
3⤵
- Executes dropped EXE
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 784
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DE5.tmp.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
9f3bfaf16ddc6ef0e164ff718feaa75c

SHA1
b5ea860963f06f503dcaf8e7ee03b29237ace64f

SHA256
02d917932135b74c6e275f4e4d6626d14ce4f05957f8d0c2d81fe50c13836d40

SHA512
3c32d2fdb75c526ce7853936cc89efa61eb77ad95112cb19ab519da29b0211717f36bcb3d8928e5dca7e296c9b542537cce316c4e011ed357681a081fefac9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DE5.tmp.cmd
MD5
b36ced9eacc8778f1fd61a3096fb1a57

SHA1
cb2ea1d0b9e9eafaee505ac1a76da8f692dff9d0

SHA256
cf1b48d26683084ec098e4fab89dcff0e16b37f0ccb9f4285bdf5584ce147377

SHA512
f922a7010a0c32f38ad3d44bf47c48e16f1f186371d65c7bea8604ac64281680c8349db68eb7daad05c0a890ed0f01a8858581704ef03d991d91f7402cb1444c

Download Submit
memory/804-23-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/804-17-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/1028-1-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1028-3-0x00000000011C0000-0x0000000001230000-memory.dmp

Filesize
448KB

Download
memory/1028-0-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmp

Filesize
9.9MB

Download
memory/1268-9-0x0000000000000000-mapping.dmp

Download
memory/1872-4-0x0000000000000000-mapping.dmp

Download
memory/2360-7-0x0000000000000000-mapping.dmp

Download
memory/2452-5-0x0000000000000000-mapping.dmp

Download
memory/3896-10-0x0000000000000000-mapping.dmp

Download
memory/3896-14-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/3896-15-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/3896-11-0x0000000000000000-mapping.dmp

Download
memory/3896-18-0x0000000000000000-mapping.dmp

Download
memory/3896-19-0x0000000000000000-mapping.dmp

Download
memory/3896-20-0x0000000000000000-mapping.dmp

Download
memory/3896-21-0x0000000000000000-mapping.dmp

Download
memory/3896-22-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads