echelon | f6d38b7dda48f70fabd8cf49cfb5191ef8bb4f351629c06ec102630d852da81c

General

Target

35c69ab07ba4fd97cb23a0351d7293b6.exe
Size

1.0MB
MD5

35c69ab07ba4fd97cb23a0351d7293b6
SHA1

65c3a14d30364f80ebda6cd1b83c6f9633291c35
SHA256

f6d38b7dda48f70fabd8cf49cfb5191ef8bb4f351629c06ec102630d852da81c
SHA512

072d19611df7a7807a4edff57befe8568132925b493cc7484684b59ef7cee31649eca13adafd3023f0a444241af6e571325880760b534990dfbac6a71bba1a70
SSDEEP

24576:GE6pfUKdYS7gd1OAWUN3YWpLfoYZc4Up3GR6reDPdNyE:GE6pfUHSM1Oz20Gc+TdN

Score

10^/10

echelon discovery spyware stealer vmprotect

Malware Config

Signatures

Detects Echelon Stealer payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e716-10.dat	family_echelon
behavioral2/files/0x000400000001e716-16.dat	family_echelon
behavioral2/memory/3228-18-0x000002B18E990000-0x000002B18EB56000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	35c69ab07ba4fd97cb23a0351d7293b6.exe

Executes dropped EXE 1 IoCs

pid	Process
3228	Crypt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4148-0-0x00000000000A0000-0x00000000002A0000-memory.dmp	vmprotect
behavioral2/files/0x000400000001e716-10.dat	vmprotect
behavioral2/files/0x000400000001e716-16.dat	vmprotect
behavioral2/memory/3228-18-0x000002B18E990000-0x000002B18EB56000-memory.dmp	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3228	Crypt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	Crypt.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 3228	4148	35c69ab07ba4fd97cb23a0351d7293b6.exe	88
PID 4148 wrote to memory of 3228	4148	35c69ab07ba4fd97cb23a0351d7293b6.exe	88

C:\Users\Admin\AppData\Local\Temp\35c69ab07ba4fd97cb23a0351d7293b6.exe
"C:\Users\Admin\AppData\Local\Temp\35c69ab07ba4fd97cb23a0351d7293b6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\Crypt.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypt.exe

Filesize
1.0MB

MD5
0088abee944713ab183c41f3a2b07ea8

SHA1
ea027d6de4b2feebfb35b4ebde88cdaab6d6e744

SHA256
8ce4be0ab67c82e4f9023bbea4228430e56ef9ac133d377d75ecf2be75045111

SHA512
98c88b5f4d4b30f922fbd219da691842649e7aa39eeac65a8b21ad0bdd9437ace260bdf744910690b3d004fda16f1f267f78c307741526e8ba6bde3558f4c64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypt.exe

Filesize
1.0MB

MD5
0bcece3e0d6876197a467f3ecc61bef6

SHA1
d71a3441ea55c3c31fba1e1c2062a4c62c26ec08

SHA256
ed357a9c6b426ae16d85dd5a2a39405d5dc1b9b06fcec93955354430dd11d26f

SHA512
f7d4463b517b34bce519a606ede4d1a825762b2b3a6e62e6a1d3d1b3057f6049dbe93ad6bb0643edd9c3e800d3f766cdd10a93cffe108a2077bffd328c3a9a3c

Download Submit
memory/3228-22-0x000002B1A9120000-0x000002B1A9130000-memory.dmp

Filesize
64KB

Download
memory/3228-21-0x000002B18EF00000-0x000002B18EF01000-memory.dmp

Filesize
4KB

Download
memory/3228-52-0x00007FFB6EC60000-0x00007FFB6F721000-memory.dmp

Filesize
10.8MB

Download
memory/3228-51-0x000002B1A9120000-0x000002B1A9130000-memory.dmp

Filesize
64KB

Download
memory/3228-24-0x00007FFB6EC60000-0x00007FFB6F721000-memory.dmp

Filesize
10.8MB

Download
memory/3228-23-0x000002B1A9130000-0x000002B1A91A6000-memory.dmp

Filesize
472KB

Download
memory/3228-18-0x000002B18E990000-0x000002B18EB56000-memory.dmp

Filesize
1.8MB

Download
memory/3228-20-0x00007FFB6EC60000-0x00007FFB6F721000-memory.dmp

Filesize
10.8MB

Download
memory/4148-2-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4148-19-0x00007FFB6EC60000-0x00007FFB6F721000-memory.dmp

Filesize
10.8MB

Download
memory/4148-0-0x00000000000A0000-0x00000000002A0000-memory.dmp

Filesize
2.0MB

Download
memory/4148-1-0x00007FFB6EC60000-0x00007FFB6F721000-memory.dmp

Filesize
10.8MB

Download
memory/4148-4-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4148-5-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

Filesize
64KB

Download
memory/4148-3-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing