echelon | b5943edb5bc6de1fdcee0d555aafb3fcc2e6cdaaec8a5415caaada2328501e83

Analysis

max time kernel
72s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76fad3569cffe8e8d91bf06b545ec346.exe
Size

1.5MB
MD5

76fad3569cffe8e8d91bf06b545ec346
SHA1

1b5bf0f630c9c354d80caccf3e4a18342450197a
SHA256

b5943edb5bc6de1fdcee0d555aafb3fcc2e6cdaaec8a5415caaada2328501e83
SHA512

75ab8c69cb6a5b55656341cce8eaf654fd3a37b6b2e2ea48f1cafe4a8baf6efbca51c9bebc310564f60393cb56efa5f3a9176b1a6a1f6a1b0634e371b639424d
SSDEEP

24576:Fo8k70TrcnXpatsCu7IfLKZnikPhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRRD:Fo8kQTA5Qw7CSikJo54clgLH+tkWJ0N7

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3892-0-0x00000000001C0000-0x0000000000344000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
24 ip-api.com

flow	ioc
4	api.ipify.org
5	api.ipify.org
24	ip-api.com

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

76fad3569cffe8e8d91bf06b545ec346.exe

pid	process
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe
3892	76fad3569cffe8e8d91bf06b545ec346.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

76fad3569cffe8e8d91bf06b545ec346.exe

description pid process

Token: SeDebugPrivilege 3892 76fad3569cffe8e8d91bf06b545ec346.exe

description	pid	process
Token: SeDebugPrivilege	3892	76fad3569cffe8e8d91bf06b545ec346.exe

C:\Users\Admin\AppData\Local\Temp\76fad3569cffe8e8d91bf06b545ec346.exe
"C:\Users\Admin\AppData\Local\Temp\76fad3569cffe8e8d91bf06b545ec346.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Browsers\Passwords\Passwords_Edge.txt

Filesize
1KB

MD5
6ca856c7d40e1edc69008e9f4f7a7ba2

SHA1
62b795c02b6b02e313c15e1c369991f08814a95c

SHA256
a8cdd831224a169d08a48633ace3675d98a243ccff849a85ebd1e95a76d04242

SHA512
6423bb1e45a8277b2c3ee1cb21324a8abca3735efcf8e45d1aa27e597230e37f01999a3229eb98ff2d42e68de17bf1f093546f5d7e89f246fecdb4b04e9d1db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Browsers\Passwords\Passwords_Edge.txt

Filesize
1KB

MD5
e21da2b922a86aa441a087588d8ba063

SHA1
eae0e83300e2fd672a5b75989f9934658aafc42e

SHA256
80a07a4e8531475b3819d1a9611b8bdb0205702bb6c7f96729cbc4b9ee496758

SHA512
e3131a211c6e5ec2ccafb0378fabeed48156b5e8df2d6ecb0b7dbfa47a7ca35244114ff788e72b8e6950be9bd3ed1fdcc4863b18af8d3103449e07abdd039343

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Browsers\Passwords\Passwords_Edge.txt

Filesize
2KB

MD5
88fe72ee318201e46a1fc7f58fc5a0f7

SHA1
799df8bb300d508996d900212edad6170a9bd2bf

SHA256
d62a3f605afb8ed80e349f488425d6fb576b9acbf0c8afac0cc341bbc7096912

SHA512
1ae6ca9d5e0295124618832910a062ddc85d3565dda03b1886bd0dcc483c861b21de7605713ed27813c15b9ffa4e0757c46d77a15c21a81cf41099e820294a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Browsers\Passwords\Passwords_Edge.txt

Filesize
2KB

MD5
656726952302f87aa14938d0db9ee454

SHA1
a7218b06ef1170e77be390b33877b38519f19e28

SHA256
51664925b2e581d6a27d81a84273aaa8a1dbb6572956a5455bc73e1868ba6e8b

SHA512
101e39b11d24bbca94f815458c9c2296b724a9104cea9070c143216a69514b51aecb98d97be8899d4e0c925d7749557d9cfe61e35250dd8004a8154b538fd5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Browsers\Passwords\Passwords_Edge.txt

Filesize
2KB

MD5
81b99703a3960d307cd3ab62339c6d2e

SHA1
78a2f3bc7bb88f881a2511cc2de8221c48f81a23

SHA256
2ca6e84f6978690a4fbe9f8afb9c8906362e17dfec9da01861ed44ac3df4832d

SHA512
33182c99d24f276968c8c85686593b71efdfca475e630864f5399895d83aa1d320b0de7866c1cce2231d02b80cce641e71763d28535ed05e90b9b0ad70eb478d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Browsers\Passwords\Passwords_Edge.txt

Filesize
3KB

MD5
e181e9fc3087583b84164406113f6321

SHA1
7244c18a52b2c74fa39b7104e779f304b9ae4c12

SHA256
6661f2827c61623c6e7ab76fc8c79eb9dc4289e564b781d1f573fbf6f1a2f880

SHA512
0686425870c1faec44ab2becaff21a17aaf9ff89bf7d6ad7e41cc2ff0cf3e9f9c17028c614b4982a61e5adccb9cbed99a8edb57f85d962bcaa62858eb55c8249

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Browsers\Passwords\Passwords_Edge.txt

Filesize
3KB

MD5
78dd6580ce6665dd6d6c2f0c244463f8

SHA1
67cac6c403c3f17e1c0722fb0c2eb250fd8241d8

SHA256
ce4f8a9c0b97185ba35cffcf896ffb5076a0b82a13d250b25c452104583a277f

SHA512
31e53c2f36069f2491f2fa435e147abfa64467f495e99f5818f000a9c73c99600fba4cab10fc1e9a7ea1b866ab519a26d8444325c0db738952d5e42a929c4b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Browsers\Passwords\Passwords_Edge.txt

Filesize
4KB

MD5
266b750ff315185a8866f8a186995b76

SHA1
df45b2f0e9a4647cc74b90e7a13bc613c49fa93a

SHA256
cc40de1552dab9ec217ede32da2c13a8afcf4ad8e440143a0028099035586dd2

SHA512
3a7e7e9d664c02b65998cfb489a24d403e20593ce5f84484dec2e56d76a759ba8403e1671f0a6460388c268387978916cc4dfb3a5a2e47d2b0a6ed17a7014645

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Browsers\Passwords\Passwords_Edge.txt

Filesize
852B

MD5
f6112b3498179e945ef8ca979e810858

SHA1
78411bf22b09f0243f0c4405970b292e8f391f41

SHA256
72b2b8ebdc6ebf268b47939e38ff5c6439d458b1149af61b69103de2a0f3feb0

SHA512
1ab7bd43b6a62c79336d907e2ec6337f61b20bfdd4b184ff4d3838a84097353c8d7bf21a3e9751b1a7e1af0fae704c39aed1c683bbc1b9151351e246e91ac604

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Computer.txt

Filesize
302B

MD5
7c84b31259e05d332019701d9f0daac6

SHA1
aa5d16f1514dfa36fe26e64d3313bd397851535f

SHA256
db3fad06cc6b5ae58ae189b241a2df9ce0726ab30dd17da84c715ee5f82ab4a9

SHA512
51c1296fcf4171d93a53c4e4b0eaa9637e393bf33104aa4b5f5e48f572cdfcfa18aa8ff950d100aec2cdc5decb5fdffe6ecc6ff0d55601de21d6d8303a96084d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Grabber\SetUnregister.doc

Filesize
427KB

MD5
fa46b10e84802f87ababb025e1d8e426

SHA1
2d33204f6d50c316859712408299a14589c7ec67

SHA256
205ea5b154fb14af4f8830aa157930ea1e8e74701791dd17e5a369fb07b8ccd6

SHA512
286b7541942cf822b37a045783223860038a1e73412abd2be5d96d61120f3dd9e448399191821526561420d43f2dc584410642eb90ec6f4fea654c26c55e051b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Processes.txt

Filesize
859B

MD5
e4f50825dd99f2642f1230ec73040ff9

SHA1
4798e721d6ea2519669e60133ae9d0fcb544c3d7

SHA256
2008527a478a7bbd3933060d853e40190e80e5faf60b3cf1dbc3ccbef228db8a

SHA512
b8a3eb60b4b8cc55fb68a5cfcbee91e66c852bfdf30acb6a1983017d1655256f6e084ddd5437859cb48c71a62bca17c11f8374b77f096930af3b0fed42279df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Processes.txt

Filesize
833B

MD5
c83fea4ca5e4a27e09965928e158cb00

SHA1
a4b3e7b18fc63ad2970dda58aadc00e735378949

SHA256
8071ac27ac712dfc84eb8ed342115a1f8b4cd3c1a36c52394d23019e5e21d9ce

SHA512
582a8d70812e075665beb589710cd99324f2ccf9cc2ba9785fc82a7baeb1c4dc964f4809ae3426745eb44ee2676a471290dae33f5835e2d0b3a0a221b09faaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Processes.txt

Filesize
898B

MD5
17d3e91114f365e21d2cca5923745678

SHA1
19bb995196cc4c12d16ce6033573ef66577bd74b

SHA256
eb345788184663c16a96bed8457bab77ed71a11dc525a6d38442c174ab373837

SHA512
04758c30ee3e1bb5cb10efb03f0ffc9723c681ee3c92b4eea27ff3152079cad3220aa228d19689081e594f0e412727e0ecb60ccbcc1816e244227ac45843f22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Processes.txt

Filesize
868B

MD5
5eae8ea38587b9af6dab14e41cd0f01a

SHA1
b88d261ad57a86b0ff0e29fcd3a470407daace0b

SHA256
b8e3f4df4c641561d7f54eb8ff8d8de2c02f7df969ec7920069b4bd50e57a128

SHA512
f41896a99f342eff4de471f9fd5867313cee59edf4987030bce1a5d4d7bd7f831cd673b6b94385809b91b5b138c1e9d1881a958e782eac177401f9fa4553bc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPBuHwRHNBDLLXLTJJyH078BFBFF000306D22ED8715E82\82078BFBFF000306D22ED8715EFHPBuHwRHNBDLLXLTJJyH\Screenshot.Jpeg

Filesize
83KB

MD5
45b8e97a1783cdc035144d91c40f71ee

SHA1
b60f6b0544ecf472318fba0f1ce0c77588eb18c6

SHA256
d9de6d22c59305e8e419e5c6b584c31df149345b0d866bacf1a38374f604c8a5

SHA512
e34316d8361020fb1c9611ef5323d247bd3d12dba0b0ebf7fcada3246023c917381009d9f6840279d861c355a146fcf1226d2bc10503839ab15c4533ea8e63d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22ED8715E.tmp

Filesize
92KB

MD5
ec564f686dd52169ab5b8535e03bb579

SHA1
08563d6c547475d11edae5fd437f76007889275a

SHA256
43c07a345be732ff337e3826d82f5e220b9474b00242e335c0abb9e3fcc03433

SHA512
aa9e3cb1ae365fd5a20439bca6f7c79331a08d2f7660a36c5b8b4f57a0e51c2392b8e00f3d58af479134531dc0e6b4294210b3633f64723abd7f4bc4db013df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22ED8715E.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22ED8715E.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22ED8715E.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ls078BFBFF000306D22ED8715E.tmp

Filesize
114KB

MD5
3de1f2cb05a86cf5f9f9dcb1c4571e2c

SHA1
6559d08f0309ee7b915223f5fb605c4d191897db

SHA256
f69ff691912ec53cf36e6ad0722e1ac48f564048c5b66018a1b85ba2bad1cbf6

SHA512
da2b9fae2a139c214a4fba309c4752e32ab133d55a785c554b75d2deab96db87ee83a1dda3e4b8a6205d10fa2b1631ee01ce61b819c937e87abf094d906fc872

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempDataBase2024-01-26T09_23_09.8949634+00_003030

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempDataBase2024-01-26T09_23_10.1605400+00_003030

Filesize
288KB

MD5
00ff5e1f4b5440b6a8b05a14bace6788

SHA1
efafa00e29790d631387211586583b70a874c8cb

SHA256
52ba583637e04542e9a810519f38a648d8dd2360797bbe3642af179106ffcee6

SHA512
be0f76f77005389b4f0fb0595a92cfb280c2a2bea39bb2f4a9ea359fa3c739313a09afb41aa84bc47bfd003fbd54c2c290012b55763276fdeaf65d28d99d604d

Download Submit
memory/3892-214-0x00007FFAFE550000-0x00007FFAFF011000-memory.dmp

Filesize
10.8MB

Download
memory/3892-292-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3892-0-0x00000000001C0000-0x0000000000344000-memory.dmp

Filesize
1.5MB

Download
memory/3892-3-0x000000001B580000-0x000000001B5F6000-memory.dmp

Filesize
472KB

Download
memory/3892-2-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3892-1-0x00007FFAFE550000-0x00007FFAFF011000-memory.dmp

Filesize
10.8MB

Download
memory/3892-1554-0x00007FFAFE550000-0x00007FFAFF011000-memory.dmp

Filesize
10.8MB

Download