echelon | 67e68d1933e87f680f063203e7e243c33deba2dfdbcd2bb08e9205d3fff26fb8

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7v20210410
submitted
30-07-2021 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2222-main/mySThe.exe
Size

1.0MB
MD5

6d298ea9fddcb15bc12be3699b88724e
SHA1

946732233c9490060639a44ea593f2ccd6ddc30b
SHA256

74499fe96913a5ec1b89d8b79ca8bf2d3fd598c0d65339bd6d6223599f20aa7b
SHA512

40e40caaf22651eb749694b1827f1902c89935bb5f40baf7ec3c68bfd277b68bd76c3a7c54cfa4ce7959b7067b6fb00ec1513f57e330df7790a95e7ed6ebc8ed

Score

10^/10

echelon spyware stealer suricata

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 api.ipify.org
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mySThe.exe

pid process

1676 mySThe.exe
1676 mySThe.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mySThe.exe

description pid process

Token: SeDebugPrivilege 1676 mySThe.exe

flow	ioc
6	api.ipify.org
7	api.ipify.org

pid	process
1676	mySThe.exe
1676	mySThe.exe

description	pid	process
Token: SeDebugPrivilege	1676	mySThe.exe

C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\mySThe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1676-60-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/1676-62-0x0000000002670000-0x00000000026E1000-memory.dmp

Filesize
452KB

Download
memory/1676-63-0x0000000002700000-0x0000000002702000-memory.dmp

Filesize
8KB

Download