echelon | 3422b33a307f80a5dad2882982e061d1ed496f7a1b5c6541fdde8cbab133af7a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a69935073fb2ff90d74e75428854bf8.exe
Size

1.9MB
MD5

1a69935073fb2ff90d74e75428854bf8
SHA1

41abbb5100a64a9637cd5af6b678902baf731013
SHA256

3422b33a307f80a5dad2882982e061d1ed496f7a1b5c6541fdde8cbab133af7a
SHA512

cdf36b6ce52de3447154d64d3c3d180b8a540f51d2c60cac1bd04b440e51c1050cbb16a15935ffc5c1c2b93b0a4c3d26c0278c612f6171835b09bc650342538b
SSDEEP

49152:3eSgHKhG7DuyiTDi+EjIJo54clgLH+tkWJ0:upq47DfsibIFcKHgkWJ0

Score

10^/10

echelon spyware stealer vmprotect

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2424-0-0x000001BB5E9A0000-0x000001BB5ECB4000-memory.dmp	vmprotect

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
9 api.ipify.org
35 ip-api.com
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

1a69935073fb2ff90d74e75428854bf8.exe

pid process

2424 1a69935073fb2ff90d74e75428854bf8.exe
2424 1a69935073fb2ff90d74e75428854bf8.exe
2424 1a69935073fb2ff90d74e75428854bf8.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1a69935073fb2ff90d74e75428854bf8.exe

description pid process

Token: SeDebugPrivilege 2424 1a69935073fb2ff90d74e75428854bf8.exe

flow	ioc
7	api.ipify.org
9	api.ipify.org
35	ip-api.com

pid	process
2424	1a69935073fb2ff90d74e75428854bf8.exe
2424	1a69935073fb2ff90d74e75428854bf8.exe
2424	1a69935073fb2ff90d74e75428854bf8.exe

description	pid	process
Token: SeDebugPrivilege	2424	1a69935073fb2ff90d74e75428854bf8.exe

C:\Users\Admin\AppData\Local\Temp\1a69935073fb2ff90d74e75428854bf8.exe
"C:\Users\Admin\AppData\Local\Temp\1a69935073fb2ff90d74e75428854bf8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FPBJu078BFBFF000306D20E224AB629\29078BFBFF000306D20E224AB6FPBJu\Grabber\DebugSync.txt
Filesize
277KB

MD5
33af2f2700e3e5802ba256caaab8603e

SHA1
e907d7fba8994783bf8c8f3b438ec36e946f634a

SHA256
e0c83ad2cf427393e9a3f676ede626559691adaf1c4434b045c981efa0a680a9

SHA512
c66dce0f8766611ed9ba8a3bd636542fda21daa1c2706985ea591f96f149c0863a71383084bb3160c0ebde03dcb69cd3406fc0a5203e93229ca7a481eaf6eed6

Download Submit
C:\Users\Admin\AppData\Local\FPBJu078BFBFF000306D20E224AB629\29078BFBFF000306D20E224AB6FPBJu\Grabber\PublishPing.zip
Filesize
134KB

MD5
c3dbb589fc302e72f0025e286ef38af5

SHA1
4d24034f6b0b8f735255c14296933b405c35cac5

SHA256
4cd81fbede1488b83f1816ac0236b57c2ecc1d1a5cb038bf06e264c2187f3f8a

SHA512
c9c0c161eb15b81a35f87a4cdeaf4d8ebe4dd3b7b3f1a2dc48b966e94e6291ec83f9a2425b7be9a23fdd48fc1c7c435234b8c5fd9631a89d2c6f6f1102d625be

Download Submit
C:\Users\Admin\AppData\Local\FPBJu078BFBFF000306D20E224AB629\29078BFBFF000306D20E224AB6FPBJu\Grabber\RestoreRestart.rar
Filesize
106KB

MD5
8c2177496f4350d2b45476c74bb0e5d3

SHA1
21153d1e10ddf9f4cf7531d2f54b3e142d14e684

SHA256
61f64dfb7581e1bbacb37cf490ef53e872a235de821f8cb6f77e6538012b7235

SHA512
7395413e44085718efd693ae1172ea619fbb4914b59963c3b9ce0a8b66994b14a1647deab65a30235d2f99abe93efffa5e4a2d92d96d51280c4fedec32fa13e0

Download Submit
memory/2424-0-0x000001BB5E9A0000-0x000001BB5ECB4000-memory.dmp

Filesize
3.1MB

Download
memory/2424-1-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download
memory/2424-2-0x000001BB608C0000-0x000001BB608D0000-memory.dmp

Filesize
64KB

Download
memory/2424-3-0x000001BB5F050000-0x000001BB5F051000-memory.dmp

Filesize
4KB

Download
memory/2424-4-0x000001BB79270000-0x000001BB792E6000-memory.dmp

Filesize
472KB

Download
memory/2424-61-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download
memory/2424-62-0x000001BB608C0000-0x000001BB608D0000-memory.dmp

Filesize
64KB

Download
memory/2424-73-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmp

Filesize
10.8MB

Download