Overview

overview

10

Static

static

10

Echelon.exe

windows7-x64

10

Echelon.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    58s
  • max time network
    60s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2023 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Echelon.exe

  • Size

    592KB

  • MD5

    42c949896f36865721df77cebebd9705

  • SHA1

    2c9fd967cd744340f133ab997280c62c6d1bd2a2

  • SHA256

    f9f1b8511b6a2f81a35a80fff4880d38fa00c30b10ebb5aecccbfcfb1ff086af

  • SHA512

    f3db8c7c6cd8672c2dd1c5716c75438e5c59706849caaa40453f26bb00da034d4cb44f3e15775679998d575bf15eddcce15c16f405fdc87b568a6705826ada79

  • SSDEEP

    12288:LeI8SoKDZLJLUf9snBS4csPYae6qfzqAA:9oKDhhUF54clNf7qB

Score
10/10
echelonspywarestealer

Malware Config

Signatures

  • Detects Echelon Stealer payload 1 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Echelon.exe
    "C:\Users\Admin\AppData\Local\Temp\Echelon.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2008 -s 1284
      2⤵
      • Program crash
      PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2008-54-0x00000000013D0000-0x000000000146A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2008-55-0x000000001AE00000-0x000000001AE80000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2008-56-0x000000001AE00000-0x000000001AE80000-memory.dmp

    Filesize

    512KB

    Download