echelon | 2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8

General

Target

2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe
Size

1.5MB
MD5

42b7ad9f68861217fa003d3154c0d779
SHA1

7574bc07cfb34148fca3e18c87c64554a7b8529a
SHA256

2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8
SHA512

d457fd41ebf63fa24959fadd5be4600da790b43025025163d620e662e219086c265545494bc0fd40eb71463e64af0f651f1fe9509a40ce67fac625f98e20cb53

Score

10^/10

echelon collection discovery spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1724 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

yara_rule
echelon_log_file

pid	process
1724	cmd.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
6 ip-api.com
8 api.ipify.org
11 api.ipify.org
12 api.ipify.org
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1800 timeout.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip-api.com
8	api.ipify.org
11	api.ipify.org
12	api.ipify.org

pid	process
1800	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

pid	process
1748	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe
1748	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

description pid process

Token: SeDebugPrivilege 1748 2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

description	pid	process
Token: SeDebugPrivilege	1748	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.execmd.exe

description	pid	process	target process
PID 1748 wrote to memory of 1724	1748	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe	cmd.exe
PID 1748 wrote to memory of 1724	1748	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe	cmd.exe
PID 1748 wrote to memory of 1724	1748	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe	cmd.exe
PID 1724 wrote to memory of 1800	1724	cmd.exe	timeout.exe
PID 1724 wrote to memory of 1800	1724	cmd.exe	timeout.exe
PID 1724 wrote to memory of 1800	1724	cmd.exe	timeout.exe

outlook_office_path 1 IoCs

Processes:

2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

outlook_win_path 1 IoCs

Processes:

2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe

C:\Users\Admin\AppData\Local\Temp\2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe
"C:\Users\Admin\AppData\Local\Temp\2fcead4dde3efc15cfa2a1acd887d36535b97eada854a189324dc65013e406b8.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1748

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE946.tmp.cmd""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE946.tmp.cmd
MD5
1843b720ec6444408b5cfcacb063b8e2

SHA1
f53dd2a79e814664e4a5594a389099c195491978

SHA256
d7b6ba39f83d2c67cace37cfdac523d36bc7f1b3af87219baafcffc2f7060aea

SHA512
48149c0419efe9258df0c341dd2a12e1bb3e4dbac6af77010918a1d1c0faa72da61edde725795f0d569920d1759a6c1711bd46687fba3766999308f76cf1b071

Download Submit
memory/1748-54-0x0000000001210000-0x000000000139E000-memory.dmp

Filesize
1.6MB

Download
memory/1748-55-0x000000001B490000-0x000000001B492000-memory.dmp

Filesize
8KB

Download
memory/1748-56-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads