echelon | 4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-01-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exe
Size

821KB
MD5

ecdff1026e3fde10bfbd1eec8fc56df7
SHA1

582f980152c469de53aeb7230951ebb79f0e7056
SHA256

4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563
SHA512

8b3e19d03fc9f4e336b999f8e261ea7ad4d652a9e28f254cce3ded41fbab32999b9682f68f0ee65ae6ddb4ca072a783487426f5070ada938b5ddd91d7a7f1e6d
SSDEEP

12288:jBdlwHRn+WlYV+8T+tk8z9qnwb6XMMA4pZ8KGuLbAovtau1PtjLxuWRtb:jBkVdlYAK2qnvXMGpy0L8OJPjQqtb

Score

10^/10

echelon evasion spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe	family_echelon
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe	family_echelon
behavioral1/memory/2820-32-0x0000000000FE0000-0x000000000107A000-memory.dmp	family_echelon
\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe	family_echelon
\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe	family_echelon
\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe	family_echelon
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe	family_echelon
\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe	family_echelon
\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

Echelon.sfx.exeEchelon.exe

pid process

2968 Echelon.sfx.exe
2820 Echelon.exe

pid	process
2968	Echelon.sfx.exe
2820	Echelon.exe

Loads dropped DLL 8 IoCs

Processes:

4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exeEchelon.sfx.exe

pid	process
2520	4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exe
2520	4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exe
2520	4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exe
2968	Echelon.sfx.exe
2968	Echelon.sfx.exe
2968	Echelon.sfx.exe
2968	Echelon.sfx.exe
2968	Echelon.sfx.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1120 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Echelon.exe

description pid process

Token: SeDebugPrivilege 2820 Echelon.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

pid	process
1120	sc.exe

description	pid	process
Token: SeDebugPrivilege	2820	Echelon.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exeEchelon.sfx.exeEchelon.execmd.exe

description	pid	process	target process
PID 2520 wrote to memory of 2968	2520	4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exe	Echelon.sfx.exe
PID 2520 wrote to memory of 2968	2520	4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exe	Echelon.sfx.exe
PID 2520 wrote to memory of 2968	2520	4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exe	Echelon.sfx.exe
PID 2520 wrote to memory of 2968	2520	4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exe	Echelon.sfx.exe
PID 2968 wrote to memory of 2820	2968	Echelon.sfx.exe	Echelon.exe
PID 2968 wrote to memory of 2820	2968	Echelon.sfx.exe	Echelon.exe
PID 2968 wrote to memory of 2820	2968	Echelon.sfx.exe	Echelon.exe
PID 2968 wrote to memory of 2820	2968	Echelon.sfx.exe	Echelon.exe
PID 2820 wrote to memory of 2684	2820	Echelon.exe	cmd.exe
PID 2820 wrote to memory of 2684	2820	Echelon.exe	cmd.exe
PID 2820 wrote to memory of 2684	2820	Echelon.exe	cmd.exe
PID 2684 wrote to memory of 1120	2684	cmd.exe	sc.exe
PID 2684 wrote to memory of 1120	2684	cmd.exe	sc.exe
PID 2684 wrote to memory of 1120	2684	cmd.exe	sc.exe
PID 2820 wrote to memory of 2552	2820	Echelon.exe	WerFault.exe
PID 2820 wrote to memory of 2552	2820	Echelon.exe	WerFault.exe
PID 2820 wrote to memory of 2552	2820	Echelon.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exe
"C:\Users\Admin\AppData\Local\Temp\4b4dfa7f0295c7499b377832ef5cd5d11cbc37bd6ad96b9969fa5d0055bed563.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.sfx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop "MpsSvc"
2⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\system32\sc.exe
sc stop "MpsSvc"
3⤵
- Launches sc.exe
PID:1120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2820 -s 1468
2⤵
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.sfx.exe
Filesize
64KB

MD5
e0956addbf2f5923cb2352a00af58ccd

SHA1
199fcb85dd8a8c453266225ef24196531442ad1c

SHA256
43f2358c532d2a138f6c22206cef1ff96256d04dce66a8b825e66339e58e647a

SHA512
82db4db31fd93a65972aa3b23edfa4cbb4ca68582a814f779dc3e6d2e88e1cc2fd97d17ad19ad3360c6f6807c08f197938e06864a03a868158306fa9957462bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.sfx.exe
Filesize
92KB

MD5
87ef275b4b6e4bef9d426561d88e411f

SHA1
e499deb889dfaf230cbbd040f34bb69a5d8452cf

SHA256
49503a9f5605843698c0771d832d5d0167f62662bb42f09b84a35eb66ae3bd07

SHA512
5d64909a73a942e3db139d8af0dfef394bd268cd93e18fe1533dea2b894f3ed5289f33939500138cf2bd996e59f77d12059e7ddce7448fb3072bab32338efadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.sfx.exe
Filesize
158KB

MD5
86fff4ca4ba19d5419435809a68a23fe

SHA1
4b6b30696061a7bbce3f7e5c70b30383d4f53ccf

SHA256
989dad6c63bbbae9129d37c0f5b231d3393064594116dddc5fb3892ad6537271

SHA512
caa1eeac9aea552696893b0e5dc7939066fbc3d3e5425cb9afab68fc4eaed02fc94575235d2a71404ac5b44602f77a47f33fd44c69b29fb1274ac2e4d22b88fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe
Filesize
66KB

MD5
cd25d47978eb8dd985ecafadc6d9de20

SHA1
b54c829e285a57a9b39962edece22ef0e57b9adb

SHA256
6cce1bac98f7f9046bfc00d3853c74f562fa9795900acfce6e7f788360b956f5

SHA512
25cfc9aa64b8a22a690dfa58159360c3184878f5354cdfa640a379c7ae4beda8a2ac5f253c4739c4b15baf5125fceba0b28aa928c77977dbdd0fe98bad5164cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe
Filesize
165KB

MD5
c2190925d0bc464a5673c4317f9dbdf5

SHA1
f1f089e53afdd1ac92cb07e1ace6079bb2d1ad62

SHA256
94475c16ff64c8adfa3f8f252d195471e46a8e9b331581ed9471a3317a616edf

SHA512
f35a3496af5314b92e7668d76a198d30895513e14154f65a3540afa29d6d258e962ff6f1ba1df1f269b724e2e19b0595c6428af0d534a4be7d0539a2faabf99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe
Filesize
70KB

MD5
dc76d052fdd8ab372f94658c2eed9088

SHA1
51a97e7ea1f3ec4b3a9033a8f6d3dc31e33f32d3

SHA256
48d5a4204727dc5718eaafdcb1e5544661d14db39e0e2dee47ba60cedd78c3d7

SHA512
b7fde26fa3384e0a92933a3fc9c575c707fa7841a894ed84c3558c82f79106c21904eb9aba9641d244d23aad8f84c238f29a5617f674619b17789ee63e123e7a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.sfx.exe
Filesize
74KB

MD5
8f4b3921e8a83553d7059e780ed739d4

SHA1
0014b99c43e721fc6940877627f8cf7159f04cfa

SHA256
f734e4129a77ef2fd8f0304085b6f992b6ebec41f93563676e19c2d5c88d014c

SHA512
fe30db7071d37c761aab8282cc17022de3e8c512fbfa38556630c3e7790e74f2f569a74ece859a356a3a17e859da6e30e885a38df947bdc8dadf4a5aab193c5b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.sfx.exe
Filesize
264KB

MD5
6aa4e2b6c23f670cf3b0368855886a98

SHA1
9bbe1e2fc3efeca938f3463951b5219f12596ee6

SHA256
38bb2513fa5f30bb55604f59fd8bab46830744523330da2ebd5240fa6dcdf46e

SHA512
cff6478b6514e31b3c0eea2175c840527c323f01c24b3209fc1ce7d786ae211b4a1fa970156a0480242ec67e9834f44a378d6bc2a97673e3690f3f1af7614ca3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.sfx.exe
Filesize
292KB

MD5
7b6ae36e74a50c707f02c91c2f788718

SHA1
b5b9136bd499a4c64c47345956dea70af0c4f0e8

SHA256
dc3898a6815cd41da5f6829903556d053e9c872a1533addfd3d98ae44d7cdf46

SHA512
05beebf20a50fef908788544dbaf5f9c71c03173623c7baf8e9cb8d8ac74767c41926781b7dfbfb8d8d131291a0b2a3ef620f39a75868aaeddc9b9e5f5e7f517

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe
Filesize
119KB

MD5
aa7e3b0087ee100d81ccbf1da51ae6ca

SHA1
d6a29f17b03e9ddd5a062b36785ad10566f9b5b5

SHA256
436e7a09111f7db74abe0890511dd084171709c3e81295cf8a0de79627fcf4d9

SHA512
081b9eb8ca03fc81b08fc28b50cf9362bda28560e89e8a1e8d9d14674cb743dacb6faf277eef1b4cbe6db208ea7de1900615554daa9ae28b11dcfc4c788331f6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe
Filesize
17KB

MD5
01bdfcdde7f94c97b765c252835027a8

SHA1
1f75fad8378714ee72c9e824ab0e84b6cf406647

SHA256
41891d251d766c63637c1a82e804ab0be5845f6da12bc0ad3761a38affbe7243

SHA512
64d5841b09e434b188690ee8ecb36d9060dd121865f42dfc225fe3fbfb22ed190049bb5a322ade7e6b1dffdba49870927fbcfae669c60680718b3dd2ceee289d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe
Filesize
77KB

MD5
8a2d6b5713235f0d8abb94bc6fa269aa

SHA1
eaa6edd3c7b88daee22698d16c9b72d1e434af8a

SHA256
48307586740db016addbbf78fabfd9bd7121172f8534aaae5875ea82144acba5

SHA512
766fa969347fba6c7f3e0544e9e7ea76adb578df8032b9eb86e18c54e62cfdd497f693ffb07502b96f113241177d1af0b9c9104b133c9e6d1386f6e1ae47c2d7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe
Filesize
208KB

MD5
4ee9672c61c45319eebce175c6cd45fb

SHA1
b098a729886b69174e67b560dc21264c44d58f4e

SHA256
acab705bda7a99c89d85c1d0cfb314b6bb2755bbfe0fac28b807e05d8869936d

SHA512
f3307e91ce609985ff0ab5087c8271f9a0691406393f37240bd89337bffe76874c935422cd9070ea0aedfdbbb64c58a2245d5750d19a2bb9af20e05b5c6ed600

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.exe
Filesize
45KB

MD5
1b572889d79bb337e9cbc4a4b13b7ae3

SHA1
4c07372082a2115d62af56c5a649cb7a770c92b1

SHA256
5454b0f30d0a21b77a616f435fd16577c541bebbc4a0c1753618388bb7ba668b

SHA512
a46847ad6ac81eb6dd730255dd97bb6cddd5e08c5cde7b1c51bd115f2c9be5d9106c45dfb552c4ead05d1679ed996cab3a90d406831c5bf3e062b9a3d14248bf

Download Submit
memory/2820-34-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2820-33-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2820-32-0x0000000000FE0000-0x000000000107A000-memory.dmp

Filesize
616KB

Download
memory/2820-35-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2820-36-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download