echelon | 02f71e98c5c48f61b12c633b5f4012b30fce5e80c165f3f9ee87738631c47ed2

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

790c0dc8e06b49f065a7247d814bb6aa.exe
Size

1.0MB
MD5

790c0dc8e06b49f065a7247d814bb6aa
SHA1

97c48d3568cfe2592e5a75f91db1f89774ab3a73
SHA256

02f71e98c5c48f61b12c633b5f4012b30fce5e80c165f3f9ee87738631c47ed2
SHA512

e93cdc604f0c74613f1e7ea51e86b89bb5c0525d77535340e0617c4191288c728a5e69b578094e2bce69618fccaff030027c1001da1435929220534ce31a4889
SSDEEP

24576:kfQYxUhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRto:lo54clgLH+tkWJ0N0

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
13 ip-api.com
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

790c0dc8e06b49f065a7247d814bb6aa.exe

pid process

4916 790c0dc8e06b49f065a7247d814bb6aa.exe
4916 790c0dc8e06b49f065a7247d814bb6aa.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

790c0dc8e06b49f065a7247d814bb6aa.exe

description pid process

Token: SeDebugPrivilege 4916 790c0dc8e06b49f065a7247d814bb6aa.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org
13	ip-api.com

pid	process
4916	790c0dc8e06b49f065a7247d814bb6aa.exe
4916	790c0dc8e06b49f065a7247d814bb6aa.exe

description	pid	process
Token: SeDebugPrivilege	4916	790c0dc8e06b49f065a7247d814bb6aa.exe

C:\Users\Admin\AppData\Local\Temp\790c0dc8e06b49f065a7247d814bb6aa.exe
"C:\Users\Admin\AppData\Local\Temp\790c0dc8e06b49f065a7247d814bb6aa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DHLZNHLRLyRZDXFw078BFBFF000306D21C0E061965\65078BFBFF000306D21C0E0619DHLZNHLRLyRZDXFw\Browsers\Passwords\Passwords_Edge.txt
Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\DHLZNHLRLyRZDXFw078BFBFF000306D21C0E061965\65078BFBFF000306D21C0E0619DHLZNHLRLyRZDXFw\Grabber\DenyExpand.zip
Filesize
183KB

MD5
32d976619cfa8c60a8b07187dd1953d0

SHA1
f878895cde98599f38c3236a17c6838e44291aa7

SHA256
67e99a0e17088a263f2635f0ccb28657770320b3b34a680fd4a7c3637f74c700

SHA512
53e7c22f3ef47216e57cbe8cfdc0137e650b3f8b0b49f2ea11635ead7a41e90b520d99ff2ebca26d2d525e6c36564fe3e334a9560a4ea857463132316c840c50

Download Submit
C:\Users\Admin\AppData\Local\DHLZNHLRLyRZDXFw078BFBFF000306D21C0E061965\65078BFBFF000306D21C0E0619DHLZNHLRLyRZDXFw\Grabber\MoveMeasure.jpg
Filesize
206KB

MD5
5188a694ee1d991b51113d0c282caaed

SHA1
701a78d97c38af25ff010b27ef87331a7db879e4

SHA256
7ff7fc8ffcadeb864619bb0e89b14de0a5145720a9131de28bb5e68fc8d86bda

SHA512
bb082ddaf467bc04e2fface163df87eae8f46fc3e5d0349631024aac85eed17beaac697c8c35e116f29ee940f0913f70d6e6ef9c48036b3271c52e9fa4fab471

Download Submit
memory/4916-0-0x0000025E21570000-0x0000025E2167A000-memory.dmp

Filesize
1.0MB

Download
memory/4916-1-0x00007FFFBF2C0000-0x00007FFFBFD81000-memory.dmp

Filesize
10.8MB

Download
memory/4916-2-0x0000025E3BBA0000-0x0000025E3BBB0000-memory.dmp

Filesize
64KB

Download
memory/4916-3-0x0000025E3BAD0000-0x0000025E3BB46000-memory.dmp

Filesize
472KB

Download
memory/4916-83-0x00007FFFBF2C0000-0x00007FFFBFD81000-memory.dmp

Filesize
10.8MB

Download