echelon | 36c04fff4cb95fcc397afe6ab4d32a3e9dc9c4d68e621f56dd9f8ae975a4a1fe

General

Target

35755b2520fd50c49cbdcce4627a79ae.exe
Size

944KB
MD5

35755b2520fd50c49cbdcce4627a79ae
SHA1

03d5ca3ba3eb3a6b92f2038248510cea88ea3952
SHA256

36c04fff4cb95fcc397afe6ab4d32a3e9dc9c4d68e621f56dd9f8ae975a4a1fe
SHA512

124943e2486c9ac50ee9a883f0b230447cf8de3f29cd0c299a3cb457a2f58cbb26681fdabdd2368bf72301a304a53c6b0d0e6870544e487b1cae58d8e97febbc
SSDEEP

12288:bGH/W5wqrqsyLDMKKMBhHsvhw46Dd9QC1uv3JVMO0PbkDaNarG3i6va/4JN5J:bceI1HfHs7U0/JGA20Gy6i/e9

Score

10^/10

echelon zgrat collection discovery rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3152-5-0x00000000024C0000-0x00000000024D2000-memory.dmp	family_zgrat_v1

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	35755b2520fd50c49cbdcce4627a79ae.exe
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	35755b2520fd50c49cbdcce4627a79ae.exe
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	35755b2520fd50c49cbdcce4627a79ae.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 api.ipify.org
60 api.ipify.org
80 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe

description pid process target process

PID 3152 set thread context of 2220 3152 35755b2520fd50c49cbdcce4627a79ae.exe 35755b2520fd50c49cbdcce4627a79ae.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

756 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe

pid process

2220 35755b2520fd50c49cbdcce4627a79ae.exe
2220 35755b2520fd50c49cbdcce4627a79ae.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe35755b2520fd50c49cbdcce4627a79ae.exe

description pid process

Token: SeDebugPrivilege 3152 35755b2520fd50c49cbdcce4627a79ae.exe
Token: SeDebugPrivilege 2220 35755b2520fd50c49cbdcce4627a79ae.exe

flow	ioc
59	api.ipify.org
60	api.ipify.org
80	ip-api.com

description	pid	process	target process
PID 3152 set thread context of 2220	3152	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe

pid	process
756	timeout.exe

pid	process
2220	35755b2520fd50c49cbdcce4627a79ae.exe
2220	35755b2520fd50c49cbdcce4627a79ae.exe

description	pid	process
Token: SeDebugPrivilege	3152	35755b2520fd50c49cbdcce4627a79ae.exe
Token: SeDebugPrivilege	2220	35755b2520fd50c49cbdcce4627a79ae.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe35755b2520fd50c49cbdcce4627a79ae.execmd.exe

description	pid	process	target process
PID 3152 wrote to memory of 2220	3152	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 3152 wrote to memory of 2220	3152	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 3152 wrote to memory of 2220	3152	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 3152 wrote to memory of 2220	3152	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 3152 wrote to memory of 2220	3152	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 3152 wrote to memory of 2220	3152	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 3152 wrote to memory of 2220	3152	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 3152 wrote to memory of 2220	3152	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 2220 wrote to memory of 3696	2220	35755b2520fd50c49cbdcce4627a79ae.exe	cmd.exe
PID 2220 wrote to memory of 3696	2220	35755b2520fd50c49cbdcce4627a79ae.exe	cmd.exe
PID 2220 wrote to memory of 3696	2220	35755b2520fd50c49cbdcce4627a79ae.exe	cmd.exe
PID 3696 wrote to memory of 756	3696	cmd.exe	timeout.exe
PID 3696 wrote to memory of 756	3696	cmd.exe	timeout.exe
PID 3696 wrote to memory of 756	3696	cmd.exe	timeout.exe

outlook_office_path 1 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	35755b2520fd50c49cbdcce4627a79ae.exe

outlook_win_path 1 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	35755b2520fd50c49cbdcce4627a79ae.exe

C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe
"C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe
"C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp84FA.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\35755b2520fd50c49cbdcce4627a79ae.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84FA.tmp.bat
Filesize
78B

MD5
a8c034637c35da69b6f9957de1410123

SHA1
d9bf579e370c51b25ba1650205f598b70c7cd60d

SHA256
1dcf470b8503631b305d3da3c1552411a12e200654fd97590b296241215dbf14

SHA512
af9d9303b634e34c6913dadd254ade2c29f907da73e3023a35a3b0d2406ea66b6251e10c01d7c0590db4f9d7fdb9db07d31227cf68923fba868caf4115dda443

Download Submit
memory/2220-42-0x0000000006EA0000-0x0000000007444000-memory.dmp

Filesize
5.6MB

Download
memory/2220-36-0x0000000006610000-0x00000000066AC000-memory.dmp

Filesize
624KB

Download
memory/2220-82-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2220-67-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/2220-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2220-45-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2220-41-0x0000000006850000-0x00000000068E2000-memory.dmp

Filesize
584KB

Download
memory/2220-10-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2220-11-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/2220-12-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/2220-13-0x00000000064C0000-0x0000000006536000-memory.dmp

Filesize
472KB

Download
memory/3152-2-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3152-9-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3152-0-0x0000000000130000-0x0000000000220000-memory.dmp

Filesize
960KB

Download
memory/3152-3-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3152-5-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/3152-1-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3152-4-0x0000000004C70000-0x0000000004CEA000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads