echelon | baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4 | Triage

Submit
Reports

Overview

overview

Static

static

baf63544b0...c4.exe

windows7_x64

baf63544b0...c4.exe

windows10-2004_x64

Sharing

General

Target

baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4
Size

4.1MB
Sample

220306-12a9rshchm
MD5

7a7da0b227e440ed8ed25dd058976f44
SHA1

c8ed414480d675be16dbfcce03f14db25330dc4f
SHA256

baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4
SHA512

3cd8497e3d74bd9f94c25f088ed22a427c38b3e5cec5e51a3e49862b6ed4b3ac41ca11a1e0b0bb9923af68b7ee8585b2b09defc795c6c74cd35ac0b1afe820e3

Score

10^/10

echelon collection discovery persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe

Resource

win7-20220223-en

echelon collection discovery persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe

Resource

win10v2004-en-20220112

echelon collection discovery persistence spyware stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4
- Size
  
  4.1MB
- MD5
  
  7a7da0b227e440ed8ed25dd058976f44
- SHA1
  
  c8ed414480d675be16dbfcce03f14db25330dc4f
- SHA256
  
  baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4
- SHA512
  
  3cd8497e3d74bd9f94c25f088ed22a427c38b3e5cec5e51a3e49862b6ed4b3ac41ca11a1e0b0bb9923af68b7ee8585b2b09defc795c6c74cd35ac0b1afe820e3
Score

10^/10

echelon collection discovery persistence spyware stealer
- Echelon
  Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
  stealer spyware echelon
- Echelon log file
  Detects a log file produced by Echelon.
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

echeloncollectiondiscoverypersistencespywarestealer

behavioral2

echeloncollectiondiscoverypersistencespywarestealer

© 2018-2024

Terms | Privacy