echelon | 9258fb579d6597ae1cb061dc2dfcd3fdbc6d689f4844bae159bb3f75b9c1b8f6

Analysis

max time kernel
5s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b2fd6cfa20b53ed6d5d55c97ba3884f.exe
Size

1.5MB
MD5

3b2fd6cfa20b53ed6d5d55c97ba3884f
SHA1

a19518b371bc708790bab3f3769d9472559a7de5
SHA256

9258fb579d6597ae1cb061dc2dfcd3fdbc6d689f4844bae159bb3f75b9c1b8f6
SHA512

339b9da108e46690d2c3363c8bedd1bb1f05b6e538b4befc49a44955a3a7f337a4f3e8605b42a15ac1ab36834318e7a82de191d759c05c6291d0551591551f73
SSDEEP

24576:ox1k70TrcnXpatsCu7IfLKZnikPhhUF54clNf7+6uHAW92zt/sWu2BSMCqD8kgbS:ox1kQTA5Qw7CSikJo54clgLH+tkWJ0Zb

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1920-0-0x0000000000690000-0x0000000000814000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
19 api.ipify.org
25 ip-api.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3b2fd6cfa20b53ed6d5d55c97ba3884f.exe

description pid process

Token: SeDebugPrivilege 1920 3b2fd6cfa20b53ed6d5d55c97ba3884f.exe

flow	ioc
3	api.ipify.org
19	api.ipify.org
25	ip-api.com

description	pid	process
Token: SeDebugPrivilege	1920	3b2fd6cfa20b53ed6d5d55c97ba3884f.exe

C:\Users\Admin\AppData\Local\Temp\3b2fd6cfa20b53ed6d5d55c97ba3884f.exe
"C:\Users\Admin\AppData\Local\Temp\3b2fd6cfa20b53ed6d5d55c97ba3884f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D292773AA9.tmp
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Vw078BFBFF000306D292773AA920\20078BFBFF000306D292773AA9Vw\Computer.txt
Filesize
303B

MD5
6e7021f07dcad2ff896d5493df27d623

SHA1
67bbc01ffa5421c4ba7a9ba520140220768e8161

SHA256
3fcecbd5d6074f45e55b2d4b6bed0920dc82f4b59f397a59ef95f9b3c30fbc3f

SHA512
d57f833b7b1f09fa34e0c6e02f73fbf5b14b1fa19c16e8089a6c45d963b51a08b6376d0e2b4897ef9079182998c0b6a669d59f6084ea6bdb93ff91c5f3062bdd

Download Submit
C:\Users\Admin\AppData\Local\Vw078BFBFF000306D292773AA920\20078BFBFF000306D292773AA9Vw\Grabber\FormatApprove.jpg
Filesize
371KB

MD5
b8b2b28f5fb0be628f55b9e0cd50873a

SHA1
8cab9f3f1711094d863150f25da1fc6f2f8012b0

SHA256
b3b143735f29dd479844eda1add5eac975447244efe52df4292039da8d2680ec

SHA512
50d2e9d292ab9afe571a5e63d976ee2b060aa40607310ee4583cde15c2c1055804e2ba5f8d9e80443afe0949f7c7c8ae063d591e1352fb8ffde3560c753bd9be

Download Submit
C:\Users\Admin\AppData\Local\Vw078BFBFF000306D292773AA920\20078BFBFF000306D292773AA9Vw\Grabber\UnpublishResolve.txt
Filesize
243KB

MD5
8121aa0eba575212fda90ada6626d538

SHA1
6a322ccfc31e4dcb6a53b287c9801eeddd777b6c

SHA256
c8efdfa67429911a3fc0ed1048e3f3e462f0a7ddfa54b3b4ef925cb6486ddc2e

SHA512
caa1160ecb0884847ce71a742cae910788205e01b1de49399fddac395a464cdf2c68004e274d534bbf1d0e290bd01d87537195ffbbd47ede931da81f97191f6c

Download Submit
C:\Users\Admin\AppData\Local\Vw078BFBFF000306D292773AA920\20078BFBFF000306D292773AA9Vw\Screenshot.Jpeg
Filesize
81KB

MD5
a4d626f6a8f36b857941b564211dbaae

SHA1
802a4988557d5a1bc8bdd32204f4c632ae3ea7c2

SHA256
84f2044fe767a04df81ea3c65b6bc0d5d12f37b8c45e63dcd403103351452ae2

SHA512
a2eea2352043fc7e54edee44b50afd5b69bfffe344786d295ee31e89651c2ed5c3bcc53dabcc5fb067f0dd2bc60458180c9d43403e052249956b1c234283bd78

Download Submit
memory/1920-0-0x0000000000690000-0x0000000000814000-memory.dmp

Filesize
1.5MB

Download
memory/1920-1-0x00007FFAB3420000-0x00007FFAB3EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1920-3-0x000000001B460000-0x000000001B4D6000-memory.dmp

Filesize
472KB

Download
memory/1920-2-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/1920-68-0x00007FFAB3420000-0x00007FFAB3EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1920-69-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download