echelon | d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be

General

Target

d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe
Size

1.1MB
MD5

21baedb54f72d57d2d847d9352c8f91d
SHA1

ab0bdda443b1720b9a023874ae91c950146579b0
SHA256

d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be
SHA512

0da246eba76c17d86f3409eee307c43542ad6d46902d6183f75404dd1c8b460696d100c758ea893a4a4f6034967d450ba621325b59ca7ebc60fd48c5ea5059bf
SSDEEP

12288:tgGpzc0nT1aCX1TAlJjWWNQg3PcaMhljQATlQEhXbw7jKcQq6kAiJVORZy9:tgG5c0nTcwsWWR0PRThbw7jKDkANZk

Score

10^/10

echelon collection discovery spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\Desktop\File.exe	family_echelon
behavioral1/memory/2516-6-0x00000000002E0000-0x0000000000408000-memory.dmp	family_echelon
behavioral1/memory/2516-40-0x000000001CCE0000-0x000000001CD60000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Executes dropped EXE 1 IoCs

Processes:

File.exe

pid process

2516 File.exe
Loads dropped DLL 1 IoCs

Processes:

d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe

pid process

2508 d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2516	File.exe

pid	process
2508	d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

File.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
3 api.ipify.org
4 ip-api.com
6 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

File.exe

pid process

2516 File.exe
2516 File.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

File.exe

description pid process

Token: SeDebugPrivilege 2516 File.exe

flow	ioc
2	api.ipify.org
3	api.ipify.org
4	ip-api.com
6	api.ipify.org

pid	process
2516	File.exe
2516	File.exe

description	pid	process
Token: SeDebugPrivilege	2516	File.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exeFile.exe

description	pid	process	target process
PID 2508 wrote to memory of 2516	2508	d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe	File.exe
PID 2508 wrote to memory of 2516	2508	d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe	File.exe
PID 2508 wrote to memory of 2516	2508	d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe	File.exe
PID 2508 wrote to memory of 2516	2508	d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe	File.exe
PID 2516 wrote to memory of 1580	2516	File.exe	WerFault.exe
PID 2516 wrote to memory of 1580	2516	File.exe	WerFault.exe
PID 2516 wrote to memory of 1580	2516	File.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

File.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe

outlook_win_path 1 IoCs

Processes:

File.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	File.exe

C:\Users\Admin\AppData\Local\Temp\d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe
"C:\Users\Admin\AppData\Local\Temp\d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\Desktop\File.exe
"C:\Users\Admin\Desktop\File.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2516 -s 888
3⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wVFZNXNRPyFRwwPuFuZRRNLT078BFBFF000306D254E847F694\94078BFBFF000306D254E847F6wVFZNXNRPyFRwwPuFuZRRNLT\Browsers\Passwords\Passwords_Edge.txt
Filesize
52B

MD5
fdec4452a98b7d7f3dc83904cd82a724

SHA1
2b447ea859993ab549ee1547c72071e59cace07c

SHA256
59b16ba683aaf821362d2061fef52b52a909ad63be1192ef3d2374f3e8a4b235

SHA512
87a573d8a9a085ffeea49335d213f96cd55385a3afa281d1a4a321043e82cd81a324d1131c764d024966d9dcbcc219d78514b0cdce74f849fe33e0f9ce2df432

Download Submit
\Users\Admin\Desktop\File.exe
Filesize
1.1MB

MD5
bc8ec6ae561e3c2706004a1455f2eea3

SHA1
a2c03450a47899dbb2390a9a152ae13cdd4a1bdc

SHA256
cb5c79133f2204ea0dfcc8794771a836a1e2676bf5fcd9615135b0b8c1b0e9f3

SHA512
be8cce3f3d13c3e1f9c531415909fe183e4602c3c7edefced16041745fd24dee4257e7c60962b1ba9689257aa96b420dd313777c038bf99736ca26868927f3eb

Download Submit
memory/2516-6-0x00000000002E0000-0x0000000000408000-memory.dmp

Filesize
1.2MB

Download
memory/2516-7-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-40-0x000000001CCE0000-0x000000001CD60000-memory.dmp

Filesize
512KB

Download
memory/2516-64-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-65-0x000000001CCE0000-0x000000001CD60000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads