echelon | 562720cf37245f6bdf71692343b7d7ccc2187e45979e957b86407a21aa83854c

Analysis

max time kernel
145s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c10e8fa7d800c4a24b36dffec2cea7.exe
Size

2.4MB
MD5

69c10e8fa7d800c4a24b36dffec2cea7
SHA1

07bea76542382f9613d4de5da9b36abb3276988d
SHA256

562720cf37245f6bdf71692343b7d7ccc2187e45979e957b86407a21aa83854c
SHA512

4cd0dbb29192a8ebc31abd673aa7983a6e2f24e89cc684fb720777aaf5a692010c6f800e1f50b9ffbc9dea397d97a91118a0325cfc4337d83cb2296a6b68bd6f
SSDEEP

49152:IzecMn91vjBteouiARLrW8oj12yoYBGfUjAIgX2z2r:gu9dNtb4nWpjIYBCv9

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4864-2-0x0000000000620000-0x0000000000BD6000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
7	api.ipify.org
18	ip-api.com
6	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

pid	Process
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

pid	Process
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

description	pid	Process
Token: SeDebugPrivilege	4864	69c10e8fa7d800c4a24b36dffec2cea7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

69c10e8fa7d800c4a24b36dffec2cea7.exe

pid	Process
4864	69c10e8fa7d800c4a24b36dffec2cea7.exe

C:\Users\Admin\AppData\Local\Temp\69c10e8fa7d800c4a24b36dffec2cea7.exe
"C:\Users\Admin\AppData\Local\Temp\69c10e8fa7d800c4a24b36dffec2cea7.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PBTyNwTFPHPyyV078BFBFF000306D22ED8715E60\60078BFBFF000306D22ED8715EPBTyNwTFPHPyyV\Computer.txt

Filesize
302B

MD5
054a9c8935c72b314e3c00ed7cd1429c

SHA1
747afcdb9345a3b55a15e1ac663f566cb44c895e

SHA256
44f224429f91b12672a870c1af7d5d8d645b332b3b289c9bc9e437711013be7f

SHA512
bf02bc5bc309f470ee7f1d7b39699f0acf95f57a7efa3b8b4804579feb74fa2652e779933fd9d0970aabf7010299313d657abd6508d9c75bfe4cd1688d881a0c

Download Submit
C:\Users\Admin\AppData\Local\PBTyNwTFPHPyyV078BFBFF000306D22ED8715E60\60078BFBFF000306D22ED8715EPBTyNwTFPHPyyV\Grabber\GetUnblock.jpg

Filesize
708KB

MD5
df2e691cc25ccc1865a6d9f52cfdd661

SHA1
1a96c5f8eed764d624208a9b47fb8c7cc0ca27f7

SHA256
6714a818a82c9501364379e882ca6b093f171fc2c829dd2d9b80ec123f695340

SHA512
9eff48d19cc60269665386a4d97e97dc31f2edbc170963861466c2ba317c45a6430e89baaa6489daa7056af17177c219ffbbfc5bf97c8204043266f556230ea4

Download Submit
C:\Users\Admin\AppData\Local\PBTyNwTFPHPyyV078BFBFF000306D22ED8715E60\60078BFBFF000306D22ED8715EPBTyNwTFPHPyyV\Grabber\StartBackup.txt

Filesize
391KB

MD5
5d26e6c5e3134a2c493505b808e56e11

SHA1
72c5e881d52e2fac69d237334ef66a7894d15ce8

SHA256
f40f0a69fd9f6072831ef6b08c2f69591be8b5d792b29c99d1ceedc08ec8a7c8

SHA512
437ff4dd8ee065bd99492e7663d9596119907fc2c053d1187f46b76258dae888e7832bb3e0fa29ec3e0019543656bd1bb48313849c5731f849b34968124555b5

Download Submit
C:\Users\Admin\AppData\Local\PBTyNwTFPHPyyV078BFBFF000306D22ED8715E60\60078BFBFF000306D22ED8715EPBTyNwTFPHPyyV\Grabber\WaitGroup.txt

Filesize
432KB

MD5
b8d45a8ca43ead845b6b7bf4b78c66a1

SHA1
89c4a166d7806bfa7897403878ed95b1b5e6c3df

SHA256
4feb17596c8bd06cbc5440076599cce67c922d4b3bc08f87600d08717e0231e6

SHA512
ce43df7609722f51bf42fac6de74514717f2397a15ecf7807ca9e1b414413ea69d3897691ab528081d618f4f1bb81b8216c54139af7fbd6ec537a993c9e82537

Download Submit
C:\Users\Admin\AppData\Local\PBTyNwTFPHPyyV078BFBFF000306D22ED8715E60\60078BFBFF000306D22ED8715EPBTyNwTFPHPyyV\Grabber\WaitReceive.doc

Filesize
343KB

MD5
63e975666016d76a3ab8d441c6736e04

SHA1
3d26162c09a58a5f47df24231a16255ec5f798a9

SHA256
81e180ee72a7f3bf791dce26af2f60617f6f5af07566ea3bfe4ec9023b2e6bbe

SHA512
33d0e34b709ae12429a2a8335e34107b7dd02590452a80d7cd3508a488cd099d9d218fb731407817d219aab6fce777ac4c690f70cbec5f9e43e3b33e14a090bd

Download Submit
C:\Users\Admin\AppData\Local\PBTyNwTFPHPyyV078BFBFF000306D22ED8715E60\60078BFBFF000306D22ED8715EPBTyNwTFPHPyyV\Processes.txt

Filesize
869B

MD5
0d09f189ca4f81d57b58b0e6c3412032

SHA1
9e1b812ec40426f5f190a4150a42903700b17080

SHA256
cd01741d6d8a16e3d39f786aca3115e445577224e7937e614e181cd026bcfd3c

SHA512
84ad313f401c8ec383de41cb4b0d0ec0297baa8f5eaf019a7c1a4330e6e55c4b32cfeec0ca50174eeb76bdf74d3a4f5669ee698a725a5469a44eaa4d75d21c6a

Download Submit
C:\Users\Admin\AppData\Local\PBTyNwTFPHPyyV078BFBFF000306D22ED8715E60\60078BFBFF000306D22ED8715EPBTyNwTFPHPyyV\Processes.txt

Filesize
843B

MD5
00f4c580526e9802533f45f71a923f8f

SHA1
2090a90b10d56257f3cb5d0edaefaee42664f1cf

SHA256
54e33f6ee89554ea201c945184ed018d6dcbc1507e379ae778b8f09521eb18b9

SHA512
0f97f8d76e0811cdc1fe4bce09f0e33f226d4719e410ddda96386d8f012a9f18f6436ee001327749c1cef9d1ac3205aa0792d6e288f99e484fbc518394e46911

Download Submit
C:\Users\Admin\AppData\Local\PBTyNwTFPHPyyV078BFBFF000306D22ED8715E60\60078BFBFF000306D22ED8715EPBTyNwTFPHPyyV\Processes.txt

Filesize
834B

MD5
95253f366284680de4929ab8a33e8e2e

SHA1
7d9ca32e51c48521470993462a0d6fb94e11c0ff

SHA256
114be41da307eddeee9085bdf6ff976a53f52ebaf97a345147c3baddb17a228b

SHA512
9e641e7edbd663189a536fa9163ffee674fb1bf2190ebd888ef87fa565425c10b205fea9f7fdb0f0c0065ac5bc96dc78b2ce3c214417f68d1b89e26eb5350eda

Download Submit
C:\Users\Admin\AppData\Local\PBTyNwTFPHPyyV078BFBFF000306D22ED8715E60\60078BFBFF000306D22ED8715EPBTyNwTFPHPyyV\Screenshot.Jpeg

Filesize
81KB

MD5
b0e0840b829c5fb6db964770a25e70af

SHA1
a2b8a8f3cdad5a1e960d974c48d23d3c4d1f749d

SHA256
b45c496357c458a43101cbb282fd3af48dd4d2d61a58f41534b12b98f9b2f3ed

SHA512
25b2446ff25c4085f203ef6cd98db38f62e468a6dd57287195233c83dedd1dcb588bb9cf5d86b4bda2d13e044f4b8aaa39e3048ed111f766d2d8c305c306970c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22ED8715E.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22ED8715E.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22ED8715E.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22ED8715E.tmp

Filesize
92KB

MD5
ec564f686dd52169ab5b8535e03bb579

SHA1
08563d6c547475d11edae5fd437f76007889275a

SHA256
43c07a345be732ff337e3826d82f5e220b9474b00242e335c0abb9e3fcc03433

SHA512
aa9e3cb1ae365fd5a20439bca6f7c79331a08d2f7660a36c5b8b4f57a0e51c2392b8e00f3d58af479134531dc0e6b4294210b3633f64723abd7f4bc4db013df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ls078BFBFF000306D22ED8715E.tmp

Filesize
114KB

MD5
6748ac4d2b78b0f2f7126e5287fd65ad

SHA1
34e0e312074b9eb978b6305a98a29afa377c12d9

SHA256
7f0440512876a572012658f13921aaeec9351d8281bd32d679ac4314c982c9ad

SHA512
bb90c049b9de758acee99856a3438a8035e2cdbc9a43cd39244461e3e29c99b545122d36625a9e562fba24181b6568e2b0a3c738fc1efe82bdac644187fd9001

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempDataBase2024-01-20T06_46_19.4395172+00_001717

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempDataBase2024-01-20T06_46_19.6895965+00_001717

Filesize
288KB

MD5
00ff5e1f4b5440b6a8b05a14bace6788

SHA1
efafa00e29790d631387211586583b70a874c8cb

SHA256
52ba583637e04542e9a810519f38a648d8dd2360797bbe3642af179106ffcee6

SHA512
be0f76f77005389b4f0fb0595a92cfb280c2a2bea39bb2f4a9ea359fa3c739313a09afb41aa84bc47bfd003fbd54c2c290012b55763276fdeaf65d28d99d604d

Download Submit
memory/4864-0-0x0000000000620000-0x0000000000BD6000-memory.dmp

Filesize
5.7MB

Download
memory/4864-21-0x0000000008810000-0x0000000008DB4000-memory.dmp

Filesize
5.6MB

Download
memory/4864-19-0x0000000007DF0000-0x0000000007E82000-memory.dmp

Filesize
584KB

Download
memory/4864-12-0x0000000007870000-0x000000000790C000-memory.dmp

Filesize
624KB

Download
memory/4864-123-0x0000000006510000-0x0000000006520000-memory.dmp

Filesize
64KB

Download
memory/4864-99-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/4864-66-0x0000000000620000-0x0000000000BD6000-memory.dmp

Filesize
5.7MB

Download
memory/4864-5-0x0000000006A70000-0x0000000006AE6000-memory.dmp

Filesize
472KB

Download
memory/4864-4-0x0000000006510000-0x0000000006520000-memory.dmp

Filesize
64KB

Download
memory/4864-3-0x0000000006520000-0x0000000006586000-memory.dmp

Filesize
408KB

Download
memory/4864-2-0x0000000000620000-0x0000000000BD6000-memory.dmp

Filesize
5.7MB

Download
memory/4864-1-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download