echelon | 543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0

General

Target

543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0.exe
Size

992KB
MD5

af98b79c86ad3d365c62a482505d45f5
SHA1

f01414990dcf96cbb541278de2c47b31e0a5a095
SHA256

543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0
SHA512

08cf29aca9e774a02abc29231ff1e64ff41f46df4532e1fc8f6df92fb28d52c758a2fa23e5c5a5cab1f484c44756356f98815c1a5140e4961ffd937cb9d89416
SSDEEP

24576:jBkVdlYAKSyxe4Pfv7EgUDQK3LZlnphP3C40ffWQ2:Fsv5yxeKfv7EgULZ5/j0feQ2

Score

10^/10

echelon collection discovery evasion spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000600000002321b-14.dat	family_echelon
behavioral2/memory/1628-23-0x000001A12B610000-0x000001A12B6AA000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0.exeEchelon.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	Echelon.exe

Executes dropped EXE 1 IoCs

Processes:

Echelon.exe

pid	Process
1628	Echelon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Echelon.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
7	api.ipify.org
8	api.ipify.org
27	ip-api.com

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
1120	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Echelon.exe

pid	Process
1628	Echelon.exe
1628	Echelon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Echelon.exe

description	pid	Process
Token: SeDebugPrivilege	1628	Echelon.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0.exeEchelon.execmd.exe

description	pid	Process	procid_target
PID 1944 wrote to memory of 1628	1944	543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0.exe	87
PID 1944 wrote to memory of 1628	1944	543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0.exe	87
PID 1944 wrote to memory of 1628	1944	543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0.exe	87
PID 1628 wrote to memory of 4664	1628	Echelon.exe	92
PID 1628 wrote to memory of 4664	1628	Echelon.exe	92
PID 4664 wrote to memory of 1120	4664	cmd.exe	93
PID 4664 wrote to memory of 1120	4664	cmd.exe	93

outlook_office_path 1 IoCs

Processes:

Echelon.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe

outlook_win_path 1 IoCs

Processes:

Echelon.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe

C:\Users\Admin\AppData\Local\Temp\543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0.exe
"C:\Users\Admin\AppData\Local\Temp\543b3b925680a46c184e74e1241886b561c9a55970bc1200e19ee377a916f5f0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1628
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop "MpsSvc"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\system32\sc.exe
      sc stop "MpsSvc"
      4⤵
      Launches sc.exe
      PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DotNetZip.dll

Filesize
448KB

MD5
60caabbd43235889d64f230617c0e24e

SHA1
f5f922bd3c69591663187d40ad732c73a5bda290

SHA256
4d7851bb977d7bd1d7503e994bc4c4083faa2751f41624237309157b1b88681d

SHA512
fedccb31b488ec1b7b28e8614a3eb53eb130c176837f687395e61a0f3f522d742d46ece1f6852ca45e831abe21728e08dadf010d828a49fbfdc9840b42cc975c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe

Filesize
592KB

MD5
52c389a5c951fa6b0c5636ece3b9a4cc

SHA1
7ea98e6dc3113e1bb7a89a4b8c3f29f770163b68

SHA256
8b7240910326218e895b469398b4e98443ba8aba78e17270659050fb7562f930

SHA512
6bdbd1dfd21f7db0682972502e632fa006843db79c46265e8199c75f69458ecf6506c3c5b8424d465d004483897056739e2edb73b821205b48a0d7fb6b48f38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe.config

Filesize
216B

MD5
ed6192054a346a72d8bd4352895f25f9

SHA1
2de8e2859eb7451eb23d408cf9fa45f37a4e2d0e

SHA256
707f233f9e814e64d7655a78275e60bb44c35646292fa5b41ee936e1763c9f77

SHA512
7fe3851b67da2cd748c5e194e7b0c8252c65516ac710d950e5d6ac3aefe7051a5a01e034d6714f1dba077046ec211d234eb9f19e05c80d292b24e0f84dd6ce0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.pdb

Filesize
465KB

MD5
7eb1ff59d8695aafd0ce4d16db69b3c5

SHA1
b9be9d9046571261e90f837a3dbeed8b55810740

SHA256
f137fdf94917ca89993d845de108300fece885c8a27ce856feff355fedf21651

SHA512
5a619f0effae27f2b2320d908a950e2c72a93e2a1991ac727d7f0a08f7399c2e44f8c3f6a19a0e649d24f9b091583aa9773393756a1cf8cb9d5c5ef46ffdb5e3

Download Submit
memory/1628-23-0x000001A12B610000-0x000001A12B6AA000-memory.dmp

Filesize
616KB

Download
memory/1628-24-0x00007FFD34F20000-0x00007FFD359E1000-memory.dmp

Filesize
10.8MB

Download
memory/1628-25-0x000001A12D320000-0x000001A12D330000-memory.dmp

Filesize
64KB

Download
memory/1628-27-0x000001A145F00000-0x000001A145F76000-memory.dmp

Filesize
472KB

Download
memory/1628-52-0x00007FFD34F20000-0x00007FFD359E1000-memory.dmp

Filesize
10.8MB

Download
memory/1628-57-0x000001A12D320000-0x000001A12D330000-memory.dmp

Filesize
64KB

Download
memory/1628-58-0x00007FFD34F20000-0x00007FFD359E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads