echelon | e74ba4cb7a8950928fb8bc8f3089ca49c295dd4197afb89ddcee666685da6c0a

General

Target

56b9cbe1556dd419bec522a473a70a20.exe
Size

674KB
MD5

56b9cbe1556dd419bec522a473a70a20
SHA1

6077796a394c2235f87d02dfd14096ee3cc2fe78
SHA256

e74ba4cb7a8950928fb8bc8f3089ca49c295dd4197afb89ddcee666685da6c0a
SHA512

eccfb376ab6bbbe79e24b21fdd1c6c682675db04bb7b5574853eca30d79d9ee571a70ac3f7c29c933c2cbf906faca4c7cbbedd62e83194351f856bacf03bb57e
SSDEEP

12288:ILfpljJgZSsAjAuYcVWfs6MDMVqfBdcmDBuvXEVd:0JwcAuv0fKMVqJdczEVd

Score

10^/10

echelon collection discovery spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

resource	yara_rule
behavioral2/memory/1404-0-0x0000027698C40000-0x0000027698CEE000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	56b9cbe1556dd419bec522a473a70a20.exe
Key opened	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	56b9cbe1556dd419bec522a473a70a20.exe
Key opened	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	56b9cbe1556dd419bec522a473a70a20.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	api.ipify.org
29	api.ipify.org
31	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe
1404	56b9cbe1556dd419bec522a473a70a20.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	56b9cbe1556dd419bec522a473a70a20.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	56b9cbe1556dd419bec522a473a70a20.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	56b9cbe1556dd419bec522a473a70a20.exe

C:\Users\Admin\AppData\Local\Temp\56b9cbe1556dd419bec522a473a70a20.exe
"C:\Users\Admin\AppData\Local\Temp\56b9cbe1556dd419bec522a473a70a20.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BJXHwy078BFBFF000306D22603F02334\34078BFBFF000306D22603F023BJXHwy\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Roaming\BJXHwy078BFBFF000306D22603F02334\34078BFBFF000306D22603F023BJXHwy\Files\RegisterSync.rar

Filesize
92KB

MD5
9d74a09784ee33fa8fa012a68ff98820

SHA1
6b563f502cd94a21cd60af445642c5444a84231b

SHA256
bc1dca99621de737964b943974f3a55dcc5b7c2841bd66f240714616d0afe8ba

SHA512
4f7f349f14878dc82bc8ab6d3d67be4703ca0358c3c09e7a3e08907732082352dfbbf2a0d11320dc042acba9dfff31469fb88048df75f8a12b40b72cf694789d

Download Submit
C:\Users\Admin\AppData\Roaming\BJXHwy078BFBFF000306D22603F02334\34078BFBFF000306D22603F023BJXHwy\Files\SplitConfirm.txt

Filesize
65KB

MD5
7e8d1d1be91fc3bcf2501ae8a797a194

SHA1
8139d1656fd59895d428af6721ca31a73e671f55

SHA256
b0dd8e123cec48a8603e996c57f305e11c53362d782e16cd45c60693e02ad4b8

SHA512
a6e9c7592a4037df056512d068d6e45cd08de125012b13f637d5678636e0dddaf99493168ba57e5f8883603ef35cc28d5855dd32144aa1ff239e64a0f521d07d

Download Submit
memory/1404-6-0x000002769ABB0000-0x000002769ABC0000-memory.dmp

Filesize
64KB

Download
memory/1404-4-0x000002769ABD0000-0x000002769ABE4000-memory.dmp

Filesize
80KB

Download
memory/1404-5-0x00000276B3DD0000-0x00000276B3DDE000-memory.dmp

Filesize
56KB

Download
memory/1404-10-0x000002769ABB0000-0x000002769ABC0000-memory.dmp

Filesize
64KB

Download
memory/1404-7-0x000002769ABB0000-0x000002769ABC0000-memory.dmp

Filesize
64KB

Download
memory/1404-0-0x0000027698C40000-0x0000027698CEE000-memory.dmp

Filesize
696KB

Download
memory/1404-2-0x000002769ABB0000-0x000002769ABC0000-memory.dmp

Filesize
64KB

Download
memory/1404-3-0x000002769AB50000-0x000002769AB94000-memory.dmp

Filesize
272KB

Download
memory/1404-88-0x00000276B41D0000-0x00000276B4260000-memory.dmp

Filesize
576KB

Download
memory/1404-89-0x00000276B4260000-0x00000276B4282000-memory.dmp

Filesize
136KB

Download
memory/1404-87-0x00000276B3F60000-0x00000276B3F7E000-memory.dmp

Filesize
120KB

Download
memory/1404-1-0x00007FFD7FEE0000-0x00007FFD809A1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-90-0x00007FFD7FEE0000-0x00007FFD809A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing