echelon | a6960926d530880cde47a08146cb733b1b69fad3cd30b8af4d7afa999254e3c0

Analysis

Target

9.exe
Size

1.0MB
MD5

6016445d4e3cee2e3efc99f412e9dadc
SHA1

c2340620feee283fa98bf67b468b73c6868bbe0b
SHA256

a6960926d530880cde47a08146cb733b1b69fad3cd30b8af4d7afa999254e3c0
SHA512

cd23c3b8ee689e49d0c3d3c58bb82af15449edad2a51ce8d56063fb12a4f05b57fcd866175844dd371ba4f3366cf9ad5da9183cf4fa09ca20f5cef887d59c19a

Score

10^/10

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1056	9.exe
1056	9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	9.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1056-60-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/1056-62-0x0000000002120000-0x0000000002191000-memory.dmp

Filesize
452KB

Download
memory/1056-63-0x000000001AE70000-0x000000001AE72000-memory.dmp

Filesize
8KB

Download