echelon | 94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d

General

Target

94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d.exe
Size

995KB
MD5

87e97a6eae614b6337a6d4e51d08a88e
SHA1

7b5381794f91ab6c352e03bd534c818deb5f1d53
SHA256

94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d
SHA512

ed25acd29946a3d41e09d1e46376293cb5e8c2833bf7ec886dec5c45fdba966393ed33895dfb99364fbba6bb98dfdef4b6406d52427a09f06b6373e368b029d0
SSDEEP

24576:jBkVdlYAK0qnvXMGYsHM/Hv5WPDRFN2Hs:FsvOvXMb0D7N2M

Score

10^/10

echelon collection discovery evasion spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023201-29.dat	family_echelon
behavioral2/memory/2116-30-0x00000201CC600000-0x00000201CC69A000-memory.dmp	family_echelon
behavioral2/files/0x0006000000023201-28.dat	family_echelon
behavioral2/files/0x0006000000023201-22.dat	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Echelo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Echelon.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Echelon.exe

Executes dropped EXE 3 IoCs

pid	Process
4104	Echelo.exe
1228	Echelon.sfx.exe
2116	Echelon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	api.ipify.org
20	api.ipify.org
79	ip-api.com

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2496	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2116	Echelon.exe
2116	Echelon.exe
2116	Echelon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	Echelon.exe
Token: SeManageVolumePrivilege	532	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4104	5060	94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d.exe	85
PID 5060 wrote to memory of 4104	5060	94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d.exe	85
PID 5060 wrote to memory of 4104	5060	94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d.exe	85
PID 4104 wrote to memory of 1228	4104	Echelo.exe	92
PID 4104 wrote to memory of 1228	4104	Echelo.exe	92
PID 4104 wrote to memory of 1228	4104	Echelo.exe	92
PID 1228 wrote to memory of 2116	1228	Echelon.sfx.exe	93
PID 1228 wrote to memory of 2116	1228	Echelon.sfx.exe	93
PID 2116 wrote to memory of 2584	2116	Echelon.exe	97
PID 2116 wrote to memory of 2584	2116	Echelon.exe	97
PID 2584 wrote to memory of 2496	2584	cmd.exe	96
PID 2584 wrote to memory of 2496	2584	cmd.exe	96

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe

C:\Users\Admin\AppData\Local\Temp\94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d.exe
"C:\Users\Admin\AppData\Local\Temp\94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelo.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.sfx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Echelon.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Echelon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_office_path
      outlook_win_path
      PID:2116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop "MpsSvc"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584

C:\Windows\system32\sc.exe
sc stop "MpsSvc"
1⤵
- Launches sc.exe
PID:2496

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelo.exe

Filesize
297KB

MD5
d3309191069a8450034c4423942da9c0

SHA1
2873b5f3e290ef11cca1b46aa19ad99ec90e24ba

SHA256
574a5aafa98eca477995e51bc1260c3acb4da7becbefe10ea7aef7cdb7d7de59

SHA512
6da2f1be036a35e4c68acba5ad9330af44769d8fe4fb0c12cafc525ee166961af4819033b7341ebae2769ef3b2ea81eb7bd5c53baf9f6043008f5bea495b7fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelo.exe

Filesize
142KB

MD5
2653a79ea8b05765244a27073c2d2e77

SHA1
8cd2bd39157f102f2a485de9c6ddb36ac9901ada

SHA256
c39d4c5cdb794dd3f36fa7e63ab6b55c0aecb4cfa1378821e5bd887a6a553e2c

SHA512
8b73892be7e8b6d0d29a4d63aa36ac85e89dbe0e13451d708362b1b32121780fc23159b74792c204536064d64c6d1b23af08898a96448ef08e239dca272c3566

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelo.exe

Filesize
49KB

MD5
c8bba4d5e0cd3f3865394f399b77077e

SHA1
d0a974a2eafef93377baadbd989463127800b42b

SHA256
738d8d2a540586878f81c7b24e82e2f41edde8bf1a0573f2077c7a362f82a9dc

SHA512
4142169a5e20dd60afab4182136072e3dbc5158aa874214a8d51e27e0dabb0a5ce6b871ca52984797763885d05457682dc29e9b244f2eac466d573ef74a1b1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.sfx.exe

Filesize
583KB

MD5
bb2847eb97f3cfcd9ad90440b39faaf7

SHA1
c895b360d6e0095e66febe2e9b4e4bc0ac993a07

SHA256
fdcb8a7f8949ebe037f6cb8cb307427ec10da380303ade6daadc7db7c166d244

SHA512
2a6e3f4ee22d558b73add32e4b0a77dbc1e3866e6335455bdafea1dd9bb903b452aa6687882d81a0f4b34dc30afc3e319f8aa4d481523493bb92c3387c3b6588

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.sfx.exe

Filesize
649KB

MD5
d87dbaf2295af3f2f55f7ca333b4668f

SHA1
95aa151d52ce3174d4d0e909c8e14e8373e4506a

SHA256
4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79

SHA512
992b8d780758003e237e5c4c3b8eb9cd5276f79965d58976ce0b93128a95346927ee122294b8dea2c8f46aea4b7ab46c916099fbf60b15cc4987dec34217d0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Echelon.exe

Filesize
371KB

MD5
20d46db4b65f63ae3201318dd3afa640

SHA1
385e3c79236a747dfd41ae65f5b7d5721b30840f

SHA256
b89a38362edbca622b14bd58f588e2168865a47a66c064d4f1062ef9887cf644

SHA512
3815638de7fed3e9d5432f09e8ecd925fc0576f63a715d6ca7c17993f31b9cb81a9f6c2be9d112bc5e274fb730086f62d23ed125216cd1918dd467b9b8afeda2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Echelon.exe

Filesize
490KB

MD5
853d3a2c2aa008b2721eec4d98348a8d

SHA1
b6c42c4dbc13250573bd65057d412c5ff7d07b54

SHA256
5c0dc12ab37d39f583fb7c3eabcacb5c78381bc40e7dd88d9ab5db04033b98df

SHA512
084ac6dd898e4c0b78ca70f2c917e03bdef51174d519b6b28bf90ffed580907733a75f2dffeed8c845b90259b5d158b6f818e94f4be1af29b3d97e0c5434e643

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Echelon.exe

Filesize
329KB

MD5
94b8630741eaf13e80aa93ff39a1ef04

SHA1
d1427cf71987a25400265cd1fa6bf78c6c7c2967

SHA256
b205870444d00f2faea0ad36760be3fad657dd12c72be4ff5f1164afd148ea5c

SHA512
4233d827c1e16ce3da9cadd0afab55f8bc564241cf7141a067683418cce10c0aceb339cf1070dcf2a4416df7eb353f9d0c8fc8c7654a4954e92b3433703ab6ac

Download Submit
memory/532-94-0x0000020F58640000-0x0000020F58641000-memory.dmp

Filesize
4KB

Download
memory/532-62-0x0000020F50240000-0x0000020F50250000-memory.dmp

Filesize
64KB

Download
memory/532-96-0x0000020F58670000-0x0000020F58671000-memory.dmp

Filesize
4KB

Download
memory/532-78-0x0000020F50340000-0x0000020F50350000-memory.dmp

Filesize
64KB

Download
memory/532-97-0x0000020F58670000-0x0000020F58671000-memory.dmp

Filesize
4KB

Download
memory/532-98-0x0000020F58780000-0x0000020F58781000-memory.dmp

Filesize
4KB

Download
memory/2116-32-0x00000201CCA80000-0x00000201CCA90000-memory.dmp

Filesize
64KB

Download
memory/2116-33-0x00000201E7CF0000-0x00000201E7D66000-memory.dmp

Filesize
472KB

Download
memory/2116-60-0x00007FFE4B090000-0x00007FFE4BB51000-memory.dmp

Filesize
10.8MB

Download
memory/2116-31-0x00007FFE4B090000-0x00007FFE4BB51000-memory.dmp

Filesize
10.8MB

Download
memory/2116-30-0x00000201CC600000-0x00000201CC69A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing