echelon | 3041de101c4097ef99160b98653a51d3a92b487da293e08f019fb85cb54edd35

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1160b9510cfb408faee17ec57fb728b9.exe
Size

1.5MB
MD5

1160b9510cfb408faee17ec57fb728b9
SHA1

283cc745e5532ba5a53f78b6a4a564a4f655cdbb
SHA256

3041de101c4097ef99160b98653a51d3a92b487da293e08f019fb85cb54edd35
SHA512

29182201305adcca77616caab939f6fcb77f1d032ac47babcbe389d33585fd39c45033752979edda70454c690651d8eb3f34937c80fdb063bc69f4d65b2ebd61
SSDEEP

24576:hmgk70TrcnXpatsCu7IfLKZnikPhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRRP:hmgkQTA5Qw7CSikJo54clgLH+tkWJ0N7

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/640-0-0x0000000000620000-0x00000000007A4000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
24 ip-api.com
98 ip-api.com

flow	ioc
4	api.ipify.org
5	api.ipify.org
24	ip-api.com
98	ip-api.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1160b9510cfb408faee17ec57fb728b9.exe

pid	process
640	1160b9510cfb408faee17ec57fb728b9.exe
640	1160b9510cfb408faee17ec57fb728b9.exe
640	1160b9510cfb408faee17ec57fb728b9.exe
640	1160b9510cfb408faee17ec57fb728b9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1160b9510cfb408faee17ec57fb728b9.exe

description pid process

Token: SeDebugPrivilege 640 1160b9510cfb408faee17ec57fb728b9.exe

description	pid	process
Token: SeDebugPrivilege	640	1160b9510cfb408faee17ec57fb728b9.exe

C:\Users\Admin\AppData\Local\Temp\1160b9510cfb408faee17ec57fb728b9.exe
"C:\Users\Admin\AppData\Local\Temp\1160b9510cfb408faee17ec57fb728b9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DyFVBwPPXuBHuHNFByBNTV078BFBFF000306D20E224AB685\85078BFBFF000306D20E224AB6DyFVBwPPXuBHuHNFByBNTV\Browsers\Passwords\Passwords_Edge.txt
Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\DyFVBwPPXuBHuHNFByBNTV078BFBFF000306D20E224AB685\85078BFBFF000306D20E224AB6DyFVBwPPXuBHuHNFByBNTV\Browsers\Passwords\Passwords_Edge.txt
Filesize
852B

MD5
f6112b3498179e945ef8ca979e810858

SHA1
78411bf22b09f0243f0c4405970b292e8f391f41

SHA256
72b2b8ebdc6ebf268b47939e38ff5c6439d458b1149af61b69103de2a0f3feb0

SHA512
1ab7bd43b6a62c79336d907e2ec6337f61b20bfdd4b184ff4d3838a84097353c8d7bf21a3e9751b1a7e1af0fae704c39aed1c683bbc1b9151351e246e91ac604

Download Submit
C:\Users\Admin\AppData\Local\DyFVBwPPXuBHuHNFByBNTV078BFBFF000306D20E224AB685\85078BFBFF000306D20E224AB6DyFVBwPPXuBHuHNFByBNTV\Computer.txt
Filesize
302B

MD5
2c2c98959555354b59d879cedf0e22fb

SHA1
bd94ad1e1f8bd62a491ea19cfd4e8362d6a93d23

SHA256
f481e962ab0f86659a9c430e797c46d77887327c605be2ff3c95bb32ffc696b5

SHA512
280622a6934f330188a30ff6189e2ed23d5c071fc08f03a2b89676489a9f1fd0b91c1fea1b4c564a8a18dd514d218cba1668a795c962e6451ad996bcdfa3d62b

Download Submit
C:\Users\Admin\AppData\Local\DyFVBwPPXuBHuHNFByBNTV078BFBFF000306D20E224AB685\85078BFBFF000306D20E224AB6DyFVBwPPXuBHuHNFByBNTV\Grabber\GrantUnlock.doc
Filesize
378KB

MD5
85fc963c81e6c94c6735522a3214f65e

SHA1
01946da68b553dcdd37a941b1f23d1359cf4b1da

SHA256
732814523fe7188a953142efbc04f9b9b6e0214ffece48ea9db5492cb9101847

SHA512
f6f52d84195f88e2af427b6eea204c8d14c9bf65c74c08748dfefac0964cddd9eaf6326217986f88c3ad2f493727e1ef8a786b65438c7737809cbc6ae5426a1b

Download Submit
C:\Users\Admin\AppData\Local\DyFVBwPPXuBHuHNFByBNTV078BFBFF000306D20E224AB685\85078BFBFF000306D20E224AB6DyFVBwPPXuBHuHNFByBNTV\Grabber\OpenSet.doc
Filesize
381KB

MD5
ba04c14875cc2f9884e50d83a601104e

SHA1
cc4f4d9f11226a2c857b23ba5ec1cdb661281a10

SHA256
ccb06d37a8c8c6a342f3d6fee364c7043e25cf0d72d585624623f2c5be64dc7f

SHA512
46a62764c59529aacbcfce4e582c0c8a5fb003581f4539b29bcec5f75b4ed25b3df80d8aaf1fbefd2154b87d7ba0099f9dcd0f35e95f2a13c383c2b6372cc7e8

Download Submit
C:\Users\Admin\AppData\Local\DyFVBwPPXuBHuHNFByBNTV078BFBFF000306D20E224AB685\85078BFBFF000306D20E224AB6DyFVBwPPXuBHuHNFByBNTV\Grabber\PublishGrant.txt
Filesize
602KB

MD5
2e820a277d6ec4ca162d12f75f5e5b0f

SHA1
9164fe6b112c02fcfb59eae6505d2d5679fe43ad

SHA256
d4809aba4488cd8c44223e56ab09b2154feb6152c742814eeb19ae2880d51d08

SHA512
60d7dd65a2d52df4d85b319eb481284089d28a54cd595f31c83eb5fdeb2fcfcbcf088882ccbf39ccf725784ccc99414d4ffab02409192b9ada35a5c73781a188

Download Submit
C:\Users\Admin\AppData\Local\DyFVBwPPXuBHuHNFByBNTV078BFBFF000306D20E224AB685\85078BFBFF000306D20E224AB6DyFVBwPPXuBHuHNFByBNTV\Screenshot.Jpeg
Filesize
81KB

MD5
767a9638b292b280938e44e038a034f9

SHA1
9bf303395529fae23310d75c44cc0ae89846c6d8

SHA256
cce59d29b0a3f711e5adbc3ceece522056881ea28af52e609c9407bf6dcadf43

SHA512
d7a12c698ddff442cb35122ab43898aa61587a6655b4c0bfb990f0a3b409e573c6c21a7f6c104d5082c6af065d9bf8fac0476841a4a9f59244efc1f4eac98d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D20E224AB6.tmp
Filesize
92KB

MD5
02687bdd724237480b7a9065aa27a3ce

SHA1
585f0b1772fdab19ff1c669ff71cb33ed4e5589c

SHA256
9a535a05e405b789e9fdaf7eaf38e8673e4d0a8bd83768e72992282a69327d89

SHA512
f8ce4f6ad7211cbd17ba0cb574ac8f292727709479e059f4429a818d3b74dbe75d6e6f8cb5576b6bc7e3c1bd0b471127f0ddb38e816fad8aa44a77c15de7e6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D20E224AB6.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D20E224AB6.tmp
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
memory/640-0-0x0000000000620000-0x00000000007A4000-memory.dmp

Filesize
1.5MB

Download
memory/640-3-0x000000001BA40000-0x000000001BAB6000-memory.dmp

Filesize
472KB

Download
memory/640-73-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/640-72-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/640-1-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/640-2-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download