echelon | dc2b7679fe1950b3fd5d72668e957484b24c169dadc0ddbe69334e748ae197a6

Analysis

max time kernel
5s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e27602f250feafb8c2dc9a04e5ba2137.exe
Size

1.0MB
MD5

e27602f250feafb8c2dc9a04e5ba2137
SHA1

67250b69ab12c0f539fe4c7f2a0ec7f30cce50b6
SHA256

dc2b7679fe1950b3fd5d72668e957484b24c169dadc0ddbe69334e748ae197a6
SHA512

962d5e64905693379b9ef128657d15815fae31b3743639d411c09162251ed28ec685edcebb6ebe099dc7469b068e4827b44de25de99b29478c564eda94aaba09
SSDEEP

24576:afQY6fhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRPIM:bo54clgLH+tkWJ0N5

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
26 ip-api.com
3 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e27602f250feafb8c2dc9a04e5ba2137.exe

description pid process

Token: SeDebugPrivilege 2032 e27602f250feafb8c2dc9a04e5ba2137.exe

flow	ioc
11	api.ipify.org
26	ip-api.com
3	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	2032	e27602f250feafb8c2dc9a04e5ba2137.exe

C:\Users\Admin\AppData\Local\Temp\e27602f250feafb8c2dc9a04e5ba2137.exe
"C:\Users\Admin\AppData\Local\Temp\e27602f250feafb8c2dc9a04e5ba2137.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\uuRFDLJPVJRXHuDXLFwwLJF078BFBFF000306D21C0E061990\90078BFBFF000306D21C0E0619uuRFDLJPVJRXHuDXLFwwLJF\Browsers\Passwords\Passwords_Edge.txt
Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Roaming\uuRFDLJPVJRXHuDXLFwwLJF078BFBFF000306D21C0E061990\90078BFBFF000306D21C0E0619uuRFDLJPVJRXHuDXLFwwLJF\Grabber\InvokeRepair.rar
Filesize
158KB

MD5
f667ee2eba2f996e2ad4cff82ad4166b

SHA1
bf9f643237a1733b1fdd632b1e05b17d101df870

SHA256
28be94bfcc0b68f550c482e2878a16f268247417033de8dcb8db104628b42c2b

SHA512
ba75420185d068a0f78ce92d1f6cb423f1db78dd17bcb095057f14d53b8bc027e6ef54438f69e53cfcb23d16dc1e8089e5dc4f9968ceb0701b91c2318f828cb3

Download Submit
C:\Users\Admin\AppData\Roaming\uuRFDLJPVJRXHuDXLFwwLJF078BFBFF000306D21C0E061990\90078BFBFF000306D21C0E0619uuRFDLJPVJRXHuDXLFwwLJF\Grabber\OpenLock.txt
Filesize
106KB

MD5
73f22fc07ae5f97111d3875b7ab13c0c

SHA1
18464c631d7a45b6f38773193015912a143475b2

SHA256
e43a28f3825416735e449267021653de382cbba684369c5154f364b1cf978cf4

SHA512
fc2f3fb9cb5c221e809319a077d37f4c7ec77757c320d06c8761e50824da0401fc766865d5cc9d618838ba89a1d1c5c7a6ac1a4115e4ec08bc05a89539b5c9f7

Download Submit
C:\Users\Admin\AppData\Roaming\uuRFDLJPVJRXHuDXLFwwLJF078BFBFF000306D21C0E061990\90078BFBFF000306D21C0E0619uuRFDLJPVJRXHuDXLFwwLJF\Grabber\StartPing.txt
Filesize
50KB

MD5
c5ad5b2ed52c12f6d5efa7b8b9a9e740

SHA1
9be3862d1d2b338fe6a7a75893d8372d4e861e9f

SHA256
52aafc4a3233bd205aba3b851bd62248d236575d88b1279ceb672e68730679d7

SHA512
63d3371352f9db826e02c8df6e21bb2824e8904e5c3821382d4c94800b2813f37c97c851610b50414f61255f94d2a7848f7cd22129e6ae42f2648760dfcb6778

Download Submit
memory/2032-0-0x000002417E110000-0x000002417E21A000-memory.dmp

Filesize
1.0MB

Download
memory/2032-1-0x00007FFEDC3B0000-0x00007FFEDCE71000-memory.dmp

Filesize
10.8MB

Download
memory/2032-3-0x0000024118970000-0x0000024118980000-memory.dmp

Filesize
64KB

Download
memory/2032-2-0x00000241188D0000-0x0000024118946000-memory.dmp

Filesize
472KB

Download
memory/2032-78-0x00007FFEDC3B0000-0x00007FFEDCE71000-memory.dmp

Filesize
10.8MB

Download
memory/2032-79-0x0000024118970000-0x0000024118980000-memory.dmp

Filesize
64KB

Download
memory/2032-91-0x00007FFEDC3B0000-0x00007FFEDCE71000-memory.dmp

Filesize
10.8MB

Download