echelon | 18f6c675acef58163ad7322fbbaf75ac8d92c50e3f4e2dd02f26bbc4a93f4262

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76240af1d6ebffbf210af7d95b59b97e.exe
Size

1.0MB
MD5

76240af1d6ebffbf210af7d95b59b97e
SHA1

8f029dfb9a98bd1c34335010c97780ac3f602d61
SHA256

18f6c675acef58163ad7322fbbaf75ac8d92c50e3f4e2dd02f26bbc4a93f4262
SHA512

71f2a9bb9a3ba9b0123fa302c6a96f9ff5b58be7804d1a84c170c4b69173428ddbc6807e91e034b23f83db9b51dfb8c6c7ae439fb822b7887927e5c84c007687
SSDEEP

24576:jfQYNBhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR12Q:Po54clgLH+tkWJ0N5

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 discord.com
21 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
10 ip-api.com
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

76240af1d6ebffbf210af7d95b59b97e.exe

pid process

4280 76240af1d6ebffbf210af7d95b59b97e.exe
4280 76240af1d6ebffbf210af7d95b59b97e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

76240af1d6ebffbf210af7d95b59b97e.exe

description pid process

Token: SeDebugPrivilege 4280 76240af1d6ebffbf210af7d95b59b97e.exe

flow	ioc
20	discord.com
21	discord.com

flow	ioc
3	api.ipify.org
4	api.ipify.org
10	ip-api.com

pid	process
4280	76240af1d6ebffbf210af7d95b59b97e.exe
4280	76240af1d6ebffbf210af7d95b59b97e.exe

description	pid	process
Token: SeDebugPrivilege	4280	76240af1d6ebffbf210af7d95b59b97e.exe

C:\Users\Admin\AppData\Local\Temp\76240af1d6ebffbf210af7d95b59b97e.exe
"C:\Users\Admin\AppData\Local\Temp\76240af1d6ebffbf210af7d95b59b97e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\VFHPZVDXNTVXRZJLFT078BFBFF000306D250431B2274\74078BFBFF000306D250431B22VFHPZVDXNTVXRZJLFT\Browsers\Passwords\Passwords_Edge.txt
Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Roaming\VFHPZVDXNTVXRZJLFT078BFBFF000306D250431B2274\74078BFBFF000306D250431B22VFHPZVDXNTVXRZJLFT\Grabber\PushNew.jpg
Filesize
195KB

MD5
464c5eb5287cc0e2678a4ca953b706b7

SHA1
0b6e9c0a617b85f87b4517ece3afe09e835e5376

SHA256
b1f9e12cb8b79784279b7d5bc5df7987baf760fa57813f4530be570daa1d2c8d

SHA512
00e09a663d849dca5a41d7a536a17cd191038cfbce48bebaca45cc64b8009c743c52142fdb0aa16bd1c00c284c9d28f46293c6e168b4b64c4f2e0497c6afcd6a

Download Submit
C:\Users\Admin\AppData\Roaming\VFHPZVDXNTVXRZJLFT078BFBFF000306D250431B2274\74078BFBFF000306D250431B22VFHPZVDXNTVXRZJLFT\Grabber\TestCompare.doc
Filesize
468KB

MD5
ebaecced9fc11ad9fa73db63dae8a238

SHA1
5df4a1d9bb7d415474acd81d95411ea25ce798d2

SHA256
b5e13e1eabffd0bc5cdfd06da2c0c0d093508099ac147c523733dc25c4ed6ccf

SHA512
bf34fd879b6be92e8ae798cdf2061146dac6bcec916e642bd0c10128b6d1093d8f5cb5b4d40b626638a401f628bc20c189462bb3a3f52f060e1ea0a715a63389

Download Submit
C:\Users\Admin\AppData\Roaming\VFHPZVDXNTVXRZJLFT078BFBFF000306D250431B2274\74078BFBFF000306D250431B22VFHPZVDXNTVXRZJLFT\Grabber\UnblockSave.txt
Filesize
232KB

MD5
c3fc65ff582772ba475dfb0b7203101e

SHA1
3e52405047e77d3e2783b5abe0f7245028565647

SHA256
4e62b61b12ad3dc83c03747edab0c7e72fa23b95bb67a8a0cf240376649e3252

SHA512
0693f8b31b60b9885878ce04eee81af7a13fa4bfce85e3743f800539d539e40ec40e595e56be5ea42188c58257da94a1c050bfe27fb2eb4829f4935bb427ba3d

Download Submit
C:\Users\Admin\AppData\Roaming\VFHPZVDXNTVXRZJLFT078BFBFF000306D250431B2274\74078BFBFF000306D250431B22VFHPZVDXNTVXRZJLFT\Grabber\WatchApprove.jpg
Filesize
287KB

MD5
73b5a2f56790be042800ecfdfc7e08d8

SHA1
8be0ff1259b2e7e012a5e3c550f261f006e0a930

SHA256
0f1ff87f532e1178be898e64c87165139c43cf3f5c241efde8411371d35f5d1d

SHA512
598a4f0a6cfbdd377d2ea7babed974e58d4f7dd2bfee6fa4a74378935bde33354a83e313af5013c7eb378ec1ab6d285262e85b862523f9e947c3d0e60ce4369f

Download Submit
memory/4280-0-0x0000025655D30000-0x0000025655E3A000-memory.dmp

Filesize
1.0MB

Download
memory/4280-1-0x00007FFBAC9B0000-0x00007FFBAD471000-memory.dmp

Filesize
10.8MB

Download
memory/4280-3-0x0000025670480000-0x0000025670490000-memory.dmp

Filesize
64KB

Download
memory/4280-2-0x00000256703E0000-0x0000025670456000-memory.dmp

Filesize
472KB

Download
memory/4280-95-0x00007FFBAC9B0000-0x00007FFBAD471000-memory.dmp

Filesize
10.8MB

Download