echelon | eee4fba673b357a74ced02afde9f0dd7cf44c88e56c4eec83e3c958435d1dc10

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020cb440a198e13ef81ba5b21285450d.exe
Size

1.0MB
MD5

020cb440a198e13ef81ba5b21285450d
SHA1

779a7f07be3f27b7e22ed41496570685f49c4fb7
SHA256

eee4fba673b357a74ced02afde9f0dd7cf44c88e56c4eec83e3c958435d1dc10
SHA512

5e21500f46a1c1c5504e0c1a7f4c0a2f457bffc5438e96d843f09d1dacb8336381fe5e8a3c8f81be3a72f32969dc5b07b2bb734d553733d113aa70538c3566ad
SSDEEP

24576:mfQYosxhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRt+G:Uo54clgLH+tkWJ0Nb

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	api.ipify.org
3	api.ipify.org
26	ip-api.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

020cb440a198e13ef81ba5b21285450d.exe

pid	Process
3596	020cb440a198e13ef81ba5b21285450d.exe
3596	020cb440a198e13ef81ba5b21285450d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

020cb440a198e13ef81ba5b21285450d.exe

description	pid	Process
Token: SeDebugPrivilege	3596	020cb440a198e13ef81ba5b21285450d.exe

C:\Users\Admin\AppData\Local\Temp\020cb440a198e13ef81ba5b21285450d.exe
"C:\Users\Admin\AppData\Local\Temp\020cb440a198e13ef81ba5b21285450d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HTyHDZLDHDJZBNJuw078BFBFF000306D208BC0FF368\68078BFBFF000306D208BC0FF3HTyHDZLDHDJZBNJuw\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\HTyHDZLDHDJZBNJuw078BFBFF000306D208BC0FF368\68078BFBFF000306D208BC0FF3HTyHDZLDHDJZBNJuw\Grabber\DisableDeny.jpg

Filesize
395KB

MD5
016558188ed7c6e4f0d70969b1f44410

SHA1
bcb3d7c3a04b1dbb874df5e56c7280425a5d3ad1

SHA256
8059805548f61022f488616ee270479708383cf0807784e87556061caa2c0c33

SHA512
58c868bc9858c0e8b4fab27989c5bcaaff87ad5c6fe64eaec4d19318c21dfd53327c111f8e9d29262854976200e382079ec9f6fd8ad58251f3418c28a32b1c2e

Download Submit
memory/3596-0-0x000002615A920000-0x000002615AA2C000-memory.dmp

Filesize
1.0MB

Download
memory/3596-1-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/3596-3-0x0000026174E40000-0x0000026174EB6000-memory.dmp

Filesize
472KB

Download
memory/3596-2-0x00000261750D0000-0x00000261750E0000-memory.dmp

Filesize
64KB

Download
memory/3596-68-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/3596-69-0x00000261750D0000-0x00000261750E0000-memory.dmp

Filesize
64KB

Download
memory/3596-79-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download