echelon | 8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9

General

Target

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
Size

6.0MB
MD5

bb0296a088bb59beb5a1036deaf7fdd9
SHA1

9d21aeeb734f80d302c82098a3033463842ebb1f
SHA256

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9
SHA512

1bb684a262198a033f06d45d6712a89a2783644783947febe9e1a9b77c1577249c4691bc256c4a975b498c650efd5bf1e0016f2a354f8a3939d33168df72f671

Score

10^/10

echelon collection discovery persistence spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Executes dropped EXE 1 IoCs

Processes:

Enchelon.exe

pid process

1840 Enchelon.exe
Loads dropped DLL 1 IoCs

Processes:

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe

pid process

1764 8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

yara_rule
echelon_log_file

pid	process
1840	Enchelon.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Enchelon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\loader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Enchelon.exe"	Enchelon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
5 ip-api.com
7 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe

pid process

1764 8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

584 1840 WerFault.exe Enchelon.exe

flow	ioc
3	api.ipify.org
4	api.ipify.org
5	ip-api.com
7	api.ipify.org

pid	pid_target	process	target process
584	1840	WerFault.exe	Enchelon.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exeEnchelon.exe

pid	process
1764	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
1764	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
1840	Enchelon.exe
1840	Enchelon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Enchelon.exe

description pid process

Token: SeDebugPrivilege 1840 Enchelon.exe

description	pid	process
Token: SeDebugPrivilege	1840	Enchelon.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exeEnchelon.exe

description	pid	process	target process
PID 1764 wrote to memory of 1840	1764	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe	Enchelon.exe
PID 1764 wrote to memory of 1840	1764	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe	Enchelon.exe
PID 1764 wrote to memory of 1840	1764	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe	Enchelon.exe
PID 1764 wrote to memory of 1840	1764	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe	Enchelon.exe
PID 1840 wrote to memory of 584	1840	Enchelon.exe	WerFault.exe
PID 1840 wrote to memory of 584	1840	Enchelon.exe	WerFault.exe
PID 1840 wrote to memory of 584	1840	Enchelon.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

outlook_win_path 1 IoCs

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

C:\Users\Admin\AppData\Local\Temp\8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
"C:\Users\Admin\AppData\Local\Temp\8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
"C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1840 -s 1732
3⤵
- Program crash
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChromV1.dll
Filesize
46KB

MD5
e2a73f7858c2a2851213689f43f81cab

SHA1
eb9e5818abdbf061ca88bdeebd222df0c9a7d1de

SHA256
5d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148

SHA512
1dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromV2.dll
Filesize
23KB

MD5
f4999039ba84e3dc7ff5be63c7c09ad8

SHA1
281fa1ad745c52745bd2c2a9e17ce820005c7a00

SHA256
1fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84

SHA512
33acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
Filesize
566KB

MD5
e2e0aa6290348b2b784c882d38e244a9

SHA1
6bb4d477947ca1d935ba4d004e97b2a9428251a5

SHA256
bb7b792d50aa66d1a405fd5a05b93d14dca8533a803edf28921e4744c0d255ca

SHA512
df43fe049a5e473c2a7c47726d7cc7a88323bfc3ea3655c2a8a89545ae315cf95547f1c02d5af6471f18fc4e15c040bf525f19b6ca84963f6927014b35f05d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
Filesize
566KB

MD5
e2e0aa6290348b2b784c882d38e244a9

SHA1
6bb4d477947ca1d935ba4d004e97b2a9428251a5

SHA256
bb7b792d50aa66d1a405fd5a05b93d14dca8533a803edf28921e4744c0d255ca

SHA512
df43fe049a5e473c2a7c47726d7cc7a88323bfc3ea3655c2a8a89545ae315cf95547f1c02d5af6471f18fc4e15c040bf525f19b6ca84963f6927014b35f05d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll
Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MegaApiClient.dll
Filesize
94KB

MD5
27b9265bfa1c0fd0aea87a32a55b32b4

SHA1
861d3f9099f5b409e0990e831499eddd0da7e57f

SHA256
f4da53f798d62937f12171b47f72c8539845ff5ac3d011be193d3bdc271dd9f1

SHA512
4f0f50038a5bdc894cddf9faed00c22ea91266149710c2f5f0e7bf0974fd50cd41b0e323c602f8e0c7be7a465dddebab2befca29a284a68f97c7acd9c5b90f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
512KB

MD5
505a541a82ab519e991c895a30a99852

SHA1
ac99dfb7a890ddb254ec65dafdcfef4b657117a1

SHA256
072f358c2a0a4f6f15620baf4661536c977e92add2d06b6f5e520f294feca467

SHA512
4d2471d371f93eb40cc36bd82dc5b778274c4db0b3e66242ad6ec7910d105cc2984f601a3343f669cdc2d35c476b747620aeb72ed678490d10bf88ccba7ff12f

Download Submit
\Users\Admin\AppData\Local\Temp\Enchelon.exe
Filesize
566KB

MD5
e2e0aa6290348b2b784c882d38e244a9

SHA1
6bb4d477947ca1d935ba4d004e97b2a9428251a5

SHA256
bb7b792d50aa66d1a405fd5a05b93d14dca8533a803edf28921e4744c0d255ca

SHA512
df43fe049a5e473c2a7c47726d7cc7a88323bfc3ea3655c2a8a89545ae315cf95547f1c02d5af6471f18fc4e15c040bf525f19b6ca84963f6927014b35f05d1a

Download Submit
memory/584-72-0x0000000000000000-mapping.dmp

Download
memory/1764-55-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/1764-60-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/1764-54-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/1840-61-0x0000000000B20000-0x0000000000BB4000-memory.dmp

Filesize
592KB

Download
memory/1840-67-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/1840-65-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1840-69-0x0000000000AC0000-0x0000000000ADE000-memory.dmp

Filesize
120KB

Download
memory/1840-63-0x00000000005E0000-0x0000000000658000-memory.dmp

Filesize
480KB

Download
memory/1840-71-0x000000001BC80000-0x000000001BD06000-memory.dmp

Filesize
536KB

Download
memory/1840-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads