echelon | 8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a

General

Target

8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
Size

522KB
MD5

1eaced72fb7d641ae89622e325b00226
SHA1

3bf9aae121eb77ffc00e69d0331a100604bf13e8
SHA256

8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a
SHA512

a89770a240ffa337d54182018b161055f09f499d5bd9edab9a265bc8a34183d24e2ba21d866edf6055e23070071ba64dcb948580dad652b268187030b630b88e

Score

10^/10

echelon collection discovery spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Echelon log file 1 IoCs

Detects a log file produced by Echelon.

Processes:

yara_rule
echelon_log_file

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip-api.com
8	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

pid	Process
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1920	1660	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

pid	Process
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

description	pid	Process
Token: SeDebugPrivilege	1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

description	pid	Process	procid_target
PID 1660 wrote to memory of 1920	1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe	28
PID 1660 wrote to memory of 1920	1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe	28
PID 1660 wrote to memory of 1920	1660	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe	28

outlook_office_path 1 IoCs

Processes:

8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

outlook_win_path 1 IoCs

Processes:

8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe

C:\Users\Admin\AppData\Local\Temp\8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe
"C:\Users\Admin\AppData\Local\Temp\8f3ff63e2c029c663223ac1edb0fa1fc049bd084a36224eda2d89e842769561a.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1660 -s 1680
  2⤵
  - Program crash
  PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-54-0x0000000001140000-0x00000000011C8000-memory.dmp

Filesize
544KB

Download
memory/1660-55-0x000000001B070000-0x000000001B180000-memory.dmp

Filesize
1.1MB

Download
memory/1660-56-0x000000001AD36000-0x000000001AD55000-memory.dmp

Filesize
124KB

Download
memory/1920-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads