echelon | 4a0f711887436496355320a602ea4141f5fceed48cb960e638d9daaee70dd077

Analysis

max time kernel
151s
max time network
150s
platform
windows10_x64
resource
win10-en-20211104
submitted
14-11-2021 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BB483E0CB23EAF8FAAA78E28B5899211.exe
Size

2.5MB
MD5

bb483e0cb23eaf8faaa78e28b5899211
SHA1

80d17f4bb56fd99c557fbe72debe057bbf54c7f9
SHA256

4a0f711887436496355320a602ea4141f5fceed48cb960e638d9daaee70dd077
SHA512

be11b7de917665c1c9f993025e1960f95c3dd03c7ce8146bdc5b4038efbd9a52104780681fdaf6f3d70be8f7c717eeabafb964364b422ed15b4e9add79cc754f

Score

10^/10

echelon njrat redline @xxtrez hacked evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

0.tcp.ngrok.io:11722

Mutex

aadcb7aa3c0523a52c6ea2a71565f2d7

Attributes

reg_key
aadcb7aa3c0523a52c6ea2a71565f2d7
splitter
|'|'|

Extracted

Family

redline

Botnet

@xxtrez

178.20.41.235:41993

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1121.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1121.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Gifanio.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Gifanio.exe	family_redline
C:\ProgramData\Decoder.exe	family_redline
C:\ProgramData\Decoder.exe	family_redline

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 5 IoCs

Processes:

1121.exe....exeCSGhost-v4.2.1.exeGifanio.exeDecoder.exe

pid process

1668 1121.exe
2344 ....exe
3796 CSGhost-v4.2.1.exe
2848 Gifanio.exe
1000 Decoder.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1668	1121.exe
2344	....exe
3796	CSGhost-v4.2.1.exe
2848	Gifanio.exe
1000	Decoder.exe

Drops startup file 2 IoCs

Processes:

....exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aadcb7aa3c0523a52c6ea2a71565f2d7.exe	....exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aadcb7aa3c0523a52c6ea2a71565f2d7.exe	....exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

....exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\aadcb7aa3c0523a52c6ea2a71565f2d7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\....exe\" .."	....exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aadcb7aa3c0523a52c6ea2a71565f2d7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\....exe\" .."	....exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.ipify.org
13 api.ipify.org
22 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1228 timeout.exe

flow	ioc
12	api.ipify.org
13	api.ipify.org
22	ip-api.com

pid	process
1228	timeout.exe

Modifies registry class 2 IoCs

Processes:

1121.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	1121.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CSGhost-v4.2.1.exe

pid	process
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe
3796	CSGhost-v4.2.1.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

Gifanio.exeDecoder.exe....exe

description	pid	process
Token: SeDebugPrivilege	2848	Gifanio.exe
Token: SeDebugPrivilege	1000	Decoder.exe
Token: SeDebugPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe
Token: 33	2344	....exe
Token: SeIncBasePriorityPrivilege	2344	....exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1224 OpenWith.exe

pid	process
1224	OpenWith.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

BB483E0CB23EAF8FAAA78E28B5899211.exe1121.exeGifanio.execmd.exe....exe

description	pid	process	target process
PID 3120 wrote to memory of 1668	3120	BB483E0CB23EAF8FAAA78E28B5899211.exe	1121.exe
PID 3120 wrote to memory of 1668	3120	BB483E0CB23EAF8FAAA78E28B5899211.exe	1121.exe
PID 3120 wrote to memory of 1668	3120	BB483E0CB23EAF8FAAA78E28B5899211.exe	1121.exe
PID 3120 wrote to memory of 2344	3120	BB483E0CB23EAF8FAAA78E28B5899211.exe	....exe
PID 3120 wrote to memory of 2344	3120	BB483E0CB23EAF8FAAA78E28B5899211.exe	....exe
PID 3120 wrote to memory of 2344	3120	BB483E0CB23EAF8FAAA78E28B5899211.exe	....exe
PID 3120 wrote to memory of 3796	3120	BB483E0CB23EAF8FAAA78E28B5899211.exe	CSGhost-v4.2.1.exe
PID 3120 wrote to memory of 3796	3120	BB483E0CB23EAF8FAAA78E28B5899211.exe	CSGhost-v4.2.1.exe
PID 3120 wrote to memory of 3796	3120	BB483E0CB23EAF8FAAA78E28B5899211.exe	CSGhost-v4.2.1.exe
PID 1668 wrote to memory of 2848	1668	1121.exe	Gifanio.exe
PID 1668 wrote to memory of 2848	1668	1121.exe	Gifanio.exe
PID 2848 wrote to memory of 1000	2848	Gifanio.exe	Decoder.exe
PID 2848 wrote to memory of 1000	2848	Gifanio.exe	Decoder.exe
PID 2848 wrote to memory of 1000	2848	Gifanio.exe	Decoder.exe
PID 2848 wrote to memory of 740	2848	Gifanio.exe	cmd.exe
PID 2848 wrote to memory of 740	2848	Gifanio.exe	cmd.exe
PID 740 wrote to memory of 1228	740	cmd.exe	timeout.exe
PID 740 wrote to memory of 1228	740	cmd.exe	timeout.exe
PID 2344 wrote to memory of 1820	2344	....exe	netsh.exe
PID 2344 wrote to memory of 1820	2344	....exe	netsh.exe
PID 2344 wrote to memory of 1820	2344	....exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\BB483E0CB23EAF8FAAA78E28B5899211.exe
"C:\Users\Admin\AppData\Local\Temp\BB483E0CB23EAF8FAAA78E28B5899211.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Local\Temp\1121.exe
"C:\Users\Admin\AppData\Local\Temp\1121.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\Gifanio.exe
"C:\Users\Admin\AppData\Local\Temp\Gifanio.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\timeout.exe
timeout 4
5⤵
- Delays execution with timeout.exe
PID:1228

C:\Users\Admin\AppData\Local\Temp\....exe
"C:\Users\Admin\AppData\Local\Temp\....exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\....exe" "....exe" ENABLE
3⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.2.1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
MD5
29be19c1f19addea5fa444c00d90ee4d

SHA1
9b4acc191b65873495aed30def38b8b681804976

SHA256
9b561a403c83d0a8c9855e112a02aae26b769e2532d3dc636d8118d6375c879d

SHA512
2660285c4eee62e609175015ffdb4d07aa179257e5c7cb03af06d213050d46211c0e4c3db37bdffcaff47a5586c43d2f512c4ecc13c25a816b01cd3c53bbcbf6

Download Submit
C:\ProgramData\Decoder.exe
MD5
29be19c1f19addea5fa444c00d90ee4d

SHA1
9b4acc191b65873495aed30def38b8b681804976

SHA256
9b561a403c83d0a8c9855e112a02aae26b769e2532d3dc636d8118d6375c879d

SHA512
2660285c4eee62e609175015ffdb4d07aa179257e5c7cb03af06d213050d46211c0e4c3db37bdffcaff47a5586c43d2f512c4ecc13c25a816b01cd3c53bbcbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\....exe
MD5
fdde1d3516bc22013fbcbf2fe859b438

SHA1
fe37d973f051ec3745116244ac335e6ba27344de

SHA256
566706c985369de4895038a444f07b392cd2ac41453af442d99792258a1fd9db

SHA512
b5e5930a0f3df61731230018aa69d925591cb349e92901e57d0b0a32642bd2e9b4b39efc40df3d4cdcb8327e6fc35c463de34c862d87abc0c72c29e2e1e2ae3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\....exe
MD5
fdde1d3516bc22013fbcbf2fe859b438

SHA1
fe37d973f051ec3745116244ac335e6ba27344de

SHA256
566706c985369de4895038a444f07b392cd2ac41453af442d99792258a1fd9db

SHA512
b5e5930a0f3df61731230018aa69d925591cb349e92901e57d0b0a32642bd2e9b4b39efc40df3d4cdcb8327e6fc35c463de34c862d87abc0c72c29e2e1e2ae3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1121.exe
MD5
2571fa1b3ef68ae3a8d31ecf9cc46cf5

SHA1
287a43c137932c591a112bd2812f6a438807def6

SHA256
8ec8670b61cc47c37d8efb97cf0b601aca8f9317d5e8d86a7fea2ef98d685c9e

SHA512
362fd057a9fd94e8c5be3e3b9090bc7fb89758f9c6b151684ccbaf0d67f914743046da7a6e3209aef892590a6ec7e15ef087f883843005f4c55cf5ac1a8c2bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1121.exe
MD5
2571fa1b3ef68ae3a8d31ecf9cc46cf5

SHA1
287a43c137932c591a112bd2812f6a438807def6

SHA256
8ec8670b61cc47c37d8efb97cf0b601aca8f9317d5e8d86a7fea2ef98d685c9e

SHA512
362fd057a9fd94e8c5be3e3b9090bc7fb89758f9c6b151684ccbaf0d67f914743046da7a6e3209aef892590a6ec7e15ef087f883843005f4c55cf5ac1a8c2bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.2.1.exe
MD5
0b8c740f448c18aa9124a025c1e44faf

SHA1
d854df7a1a799d575d2f35a26d4abd57129d7331

SHA256
921665047eb9e62e9896ffe4e95aed16e4c5d47f6a059932bda6c76d7082cd2c

SHA512
35e5ca3bd517150eb4525505d4807fd7118045fc069456fb3a3bb6c505e1f1fbef85c831500a0c9f0cb18fb2758f7fba4c2d1ab8166cdd20d47a3a0ad78adac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.2.1.exe
MD5
0b8c740f448c18aa9124a025c1e44faf

SHA1
d854df7a1a799d575d2f35a26d4abd57129d7331

SHA256
921665047eb9e62e9896ffe4e95aed16e4c5d47f6a059932bda6c76d7082cd2c

SHA512
35e5ca3bd517150eb4525505d4807fd7118045fc069456fb3a3bb6c505e1f1fbef85c831500a0c9f0cb18fb2758f7fba4c2d1ab8166cdd20d47a3a0ad78adac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gifanio.exe
MD5
12f9f08ac18aa9de5328082627a2411a

SHA1
05d0e5cdcbee308ea44db8dcc393d3c4362dac3b

SHA256
9752828f298e3cb7cc5189540cbc103bc6ffe1441e59b94daa4f0ea1c815c197

SHA512
e16c9fab45c6d52b20a795c1450045e26708655745faf3a2b008a8f7a779a3dcb6cdea89e07a3766befc3e5e3a8876f3ce5f35882aaddb5a9cb0d2f71c88aa55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gifanio.exe
MD5
12f9f08ac18aa9de5328082627a2411a

SHA1
05d0e5cdcbee308ea44db8dcc393d3c4362dac3b

SHA256
9752828f298e3cb7cc5189540cbc103bc6ffe1441e59b94daa4f0ea1c815c197

SHA512
e16c9fab45c6d52b20a795c1450045e26708655745faf3a2b008a8f7a779a3dcb6cdea89e07a3766befc3e5e3a8876f3ce5f35882aaddb5a9cb0d2f71c88aa55

Download Submit
memory/740-137-0x0000000000000000-mapping.dmp

Download
memory/1000-145-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1000-144-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1000-143-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/1000-141-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1000-146-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/1000-147-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1000-135-0x0000000000000000-mapping.dmp

Download
memory/1000-148-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1228-140-0x0000000000000000-mapping.dmp

Download
memory/1668-118-0x0000000000000000-mapping.dmp

Download
memory/1820-149-0x0000000000000000-mapping.dmp

Download
memory/2344-127-0x00000000012D0000-0x000000000141A000-memory.dmp

Filesize
1.3MB

Download
memory/2344-121-0x0000000000000000-mapping.dmp

Download
memory/2848-134-0x00000257A9980000-0x00000257A9982000-memory.dmp

Filesize
8KB

Download
memory/2848-133-0x0000025790F90000-0x0000025791001000-memory.dmp

Filesize
452KB

Download
memory/2848-131-0x000002578F1A0000-0x000002578F1A1000-memory.dmp

Filesize
4KB

Download
memory/2848-128-0x0000000000000000-mapping.dmp

Download
memory/3796-123-0x0000000000000000-mapping.dmp

Download