echelon | 94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32

General

Target

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
Size

6.0MB
MD5

56bee069313ec7dbdf30acb7c93ec7a3
SHA1

e8728f02760926850ec999b7c268e71fa7913585
SHA256

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32
SHA512

31091c8e5b6ba413f39693022fabd6d25dda6a6cf3181934b81bbca8c396febc58b503afd52232c50081c6a1828f53d5ed2e07a2b2e9926c8160cd06ff60806e

Score

10^/10

echelon collection discovery persistence spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Executes dropped EXE 1 IoCs

Processes:

Enchelon.exe

pid process

1608 Enchelon.exe
Loads dropped DLL 1 IoCs

Processes:

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe

pid process

384 94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

yara_rule
echelon_log_file

pid	process
1608	Enchelon.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Enchelon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\loader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Enchelon.exe"	Enchelon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
7 api.ipify.org
3 api.ipify.org
4 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe

pid process

384 94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1028 1608 WerFault.exe Enchelon.exe

flow	ioc
5	ip-api.com
7	api.ipify.org
3	api.ipify.org
4	api.ipify.org

pid	pid_target	process	target process
1028	1608	WerFault.exe	Enchelon.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exeEnchelon.exe

pid	process
384	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
384	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
1608	Enchelon.exe
1608	Enchelon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Enchelon.exe

description pid process

Token: SeDebugPrivilege 1608 Enchelon.exe

description	pid	process
Token: SeDebugPrivilege	1608	Enchelon.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exeEnchelon.exe

description	pid	process	target process
PID 384 wrote to memory of 1608	384	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe	Enchelon.exe
PID 384 wrote to memory of 1608	384	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe	Enchelon.exe
PID 384 wrote to memory of 1608	384	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe	Enchelon.exe
PID 384 wrote to memory of 1608	384	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe	Enchelon.exe
PID 1608 wrote to memory of 1028	1608	Enchelon.exe	WerFault.exe
PID 1608 wrote to memory of 1028	1608	Enchelon.exe	WerFault.exe
PID 1608 wrote to memory of 1028	1608	Enchelon.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

outlook_win_path 1 IoCs

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

C:\Users\Admin\AppData\Local\Temp\94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
"C:\Users\Admin\AppData\Local\Temp\94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
"C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1608 -s 1816
3⤵
- Program crash
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChromV1.dll
Filesize
46KB

MD5
e2a73f7858c2a2851213689f43f81cab

SHA1
eb9e5818abdbf061ca88bdeebd222df0c9a7d1de

SHA256
5d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148

SHA512
1dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromV2.dll
Filesize
23KB

MD5
f4999039ba84e3dc7ff5be63c7c09ad8

SHA1
281fa1ad745c52745bd2c2a9e17ce820005c7a00

SHA256
1fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84

SHA512
33acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
Filesize
566KB

MD5
caf5c96dcedbb1e5dbadc36c188a740f

SHA1
1b5fb7eb3c0608b84a8e330587a9424df83d4baa

SHA256
753d026d8373b5c14321e518a724041e3166d626e1bd584f0469c21f5f04155a

SHA512
c7328b1ed8b04acf6942f7404a1866048fe8644c0e262a2846f9170d745281b8fc335739356245393620754a4e1df9273f72a70ef20c0915f1a080aefd42e066

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
Filesize
566KB

MD5
caf5c96dcedbb1e5dbadc36c188a740f

SHA1
1b5fb7eb3c0608b84a8e330587a9424df83d4baa

SHA256
753d026d8373b5c14321e518a724041e3166d626e1bd584f0469c21f5f04155a

SHA512
c7328b1ed8b04acf6942f7404a1866048fe8644c0e262a2846f9170d745281b8fc335739356245393620754a4e1df9273f72a70ef20c0915f1a080aefd42e066

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll
Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MegaApiClient.dll
Filesize
94KB

MD5
27b9265bfa1c0fd0aea87a32a55b32b4

SHA1
861d3f9099f5b409e0990e831499eddd0da7e57f

SHA256
f4da53f798d62937f12171b47f72c8539845ff5ac3d011be193d3bdc271dd9f1

SHA512
4f0f50038a5bdc894cddf9faed00c22ea91266149710c2f5f0e7bf0974fd50cd41b0e323c602f8e0c7be7a465dddebab2befca29a284a68f97c7acd9c5b90f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
512KB

MD5
505a541a82ab519e991c895a30a99852

SHA1
ac99dfb7a890ddb254ec65dafdcfef4b657117a1

SHA256
072f358c2a0a4f6f15620baf4661536c977e92add2d06b6f5e520f294feca467

SHA512
4d2471d371f93eb40cc36bd82dc5b778274c4db0b3e66242ad6ec7910d105cc2984f601a3343f669cdc2d35c476b747620aeb72ed678490d10bf88ccba7ff12f

Download Submit
\Users\Admin\AppData\Local\Temp\Enchelon.exe
Filesize
566KB

MD5
caf5c96dcedbb1e5dbadc36c188a740f

SHA1
1b5fb7eb3c0608b84a8e330587a9424df83d4baa

SHA256
753d026d8373b5c14321e518a724041e3166d626e1bd584f0469c21f5f04155a

SHA512
c7328b1ed8b04acf6942f7404a1866048fe8644c0e262a2846f9170d745281b8fc335739356245393620754a4e1df9273f72a70ef20c0915f1a080aefd42e066

Download Submit
memory/384-54-0x0000000000400000-0x0000000000E1E000-memory.dmp

Filesize
10.1MB

Download
memory/384-55-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/384-61-0x0000000000400000-0x0000000000E1E000-memory.dmp

Filesize
10.1MB

Download
memory/1028-72-0x0000000000000000-mapping.dmp

Download
memory/1608-63-0x0000000000940000-0x00000000009B8000-memory.dmp

Filesize
480KB

Download
memory/1608-65-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1608-57-0x0000000000000000-mapping.dmp

Download
memory/1608-67-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1608-69-0x0000000000AE0000-0x0000000000AFE000-memory.dmp

Filesize
120KB

Download
memory/1608-60-0x00000000012C0000-0x0000000001354000-memory.dmp

Filesize
592KB

Download
memory/1608-71-0x000000001BB60000-0x000000001BBE6000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads