echelon | a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4

Analysis

max time kernel
55s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
Size

1.5MB
MD5

4dd426b5b9cb7f9bb7a1b1c057a0c951
SHA1

a6f9518d57d3a0fa683fb23842870d25f6b79133
SHA256

a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4
SHA512

6eaf6ac8186d57dd3a6190fcc556686a9069c776118e4f55ebfb5361cb2b9e317eb7b9c67062f15a93d755ff01bc5563d18fd4453049e7347f16609b32d07d36
SSDEEP

24576:3hAk70TrcnXpatsCu7IfLKZnikPhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRo:OkQTA5Qw7CSikJo54clgLH+tkWJ0NC

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3156-0-0x000001D4BFD20000-0x000001D4BFEA2000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
19 ip-api.com

flow	ioc
3	api.ipify.org
4	api.ipify.org
19	ip-api.com

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe

pid	process
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe

description pid process

Token: SeDebugPrivilege 3156 a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe

description	pid	process
Token: SeDebugPrivilege	3156	a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe

C:\Users\Admin\AppData\Local\Temp\a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe
"C:\Users\Admin\AppData\Local\Temp\a08b92e0ef621c731c9c9a0a38095df4515f95c8200e508d772cf533395bcab4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Computer.txt
Filesize
302B

MD5
eaf0e4e1ac88f105dfc3a3f9be023bea

SHA1
3b4d95bd7c8eb1cd6dc89e3488b5807cdf72e8b6

SHA256
8455e42e6b24776f081414bc93407354a3ed37984e166d6b50faa5038bd45a34

SHA512
bb63a679d0a80763d1e37b81185b2d6a151365942092018ab9965e6f817346a0765d30cb554f2d1534496a4f21e287c029d53222f87635de68452e0f58b7a2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Grabber\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Grabber\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Grabber\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Grabber\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Grabber\ResetEdit.jpg
Filesize
228KB

MD5
5d2c78a35005fd3e4012bef9b1f401ec

SHA1
5fa39cafc888ac994a687874e32ee5de8297054b

SHA256
2e0166bd1a12fd035e6fde12b0027795dc2390fea5deaed2025ba9d9ed94b6c8

SHA512
5dcfc302501e5c3f7049c1a4439305072797dbd4498e4173d3a0e940045c247062cb1d6b538b4c51dfb29fc5dd1fdaf7a3bed8994dcfc5971560eca43ab89190

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Grabber\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Grabber\UnlockOpen.mp3
Filesize
283KB

MD5
a038a6435bb41ea60f3c5065731196ae

SHA1
196613569054bfe5cbcaf31c471f4b24e8ce6d55

SHA256
2dcd682ecca7a1544c17e7be6136fceac6564338d0d2bd19d8432beb5676d0d8

SHA512
1c7a7937bec81350bca47c4fafe99636913089c3d4cbf593464770f6b3ddca668d9a92ee0691ada7297de8256cf8622b5fdc36832544cf8b3435b93fdd38d739

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Grabber\UnregisterMerge.cfg
Filesize
255KB

MD5
46e142ec9117b39596cac408c6ce6e06

SHA1
4faa15cc5924b89e2587fb155414f9342fdf1aa0

SHA256
a2fe44637b988bba6ca2cd73cc75b986c2f386fc6602faae71c56eaa8f593ee1

SHA512
86adf4fa4fedf6c62258ef4949f5d050e8acfdcfccdfb023944035204f1a584bea2124f9ee981fc1858b305a2c940f3637a0feaf5fd5221177ae40412d627518

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Processes.txt
Filesize
950B

MD5
c44262309499c71a605941070bc00bca

SHA1
8b1bb18621045033c6a68d41f7cef39e15fb620a

SHA256
57d7a407022226978994d5e9c369ade24f47044b041611386029bc1f0f3a8f17

SHA512
c1fa5fed297c2362d5548d350617788f8fa3469b4ca8bd2de81220c93c7fb2215893be91de5e45342f54a5a52ea6b92620103ff72d1aa3cd3ea5f992add3cf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Processes.txt
Filesize
925B

MD5
cf22d6456600078a920eefcccdd84f17

SHA1
f8768850ad4db05b3922e3f005fe3cb9d2772ba7

SHA256
615a341d630cf4b9cf0a2c4832c9e8f3484de387b6c0af2b74c82047493ed019

SHA512
0d2f1682b8fd4cc62ce4d8df9269915ebfadccdea8c43ae69a54545203262d4eb8665976be2541f78ada5242656cf73bdbd2f3d485fc4740a0213749809a0d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Processes.txt
Filesize
930B

MD5
0cb96b0b628220c3d1222578894d8a1e

SHA1
635bff14238f7cebc28c090d8b4d96f0e6b8ba1e

SHA256
86e4ac1f93f9127280b3bf281cc964281fdf9731f72aae1a4968eaabf2ed0ea2

SHA512
9336a75d5d4e584f25eae6bb7994c4084d25da509078a97ff9e107c31f2a4ae9f63564a73d55687d9479bfba40e7fb7fa5b13beea8831138007fe6efd99076a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Processes.txt
Filesize
919B

MD5
11d250aa4e290bf0cb99cf39f32fd536

SHA1
ef2000ed348ab6f447c371e57cc4725f6ad575cc

SHA256
3fc208bdbafc66dec5ea6d2cbd6d04de9019f4885908e8c96a18ca1f5bb8433d

SHA512
40c4deb90512e92a0fde212738194f7047b2725e75dd626ef729e6ae120719a4aa37bf5de059babcb9f9b944e5d154ea4da68e6738693e538e76f89434f37716

Download Submit
C:\Users\Admin\AppData\Local\Temp\VL078BFBFF000306D2CE1374FC19\19078BFBFF000306D2CE1374FCVL\Screenshot.Jpeg
Filesize
81KB

MD5
9fe1c2de32e4146bfbbc2c6cdfac5873

SHA1
8ded41276ba83e550426376b95064a22673f80d7

SHA256
c1ed8dd626bdbaa2a3c837b756391518adee9a4049730ad76b63bfe486112626

SHA512
7a5a3b53b987aa56ae7ac8a4cfd2693cce351fc8304442adc07be50040e83811d5becadbdf40b6b6126c8e64571ea4906351ef059f64834a40dd783c822a0f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D2CE1374FC.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D2CE1374FC.tmp
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D2CE1374FC.tmp
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D2CE1374FC.tmp
Filesize
92KB

MD5
17a7df30f13c3da857d658cacd4d32b5

SHA1
a7263013b088e677410d35f4cc4df02514cb898c

SHA256
c44cbdf2dbfb3ea10d471fa39c9b63e6e2fc00f1add109d51419b208a426f4d0

SHA512
ea96cc3e2a44d2adeca4ecb4b8875a808ef041a6a5b4ae77b6bfd1600dd31f449b51b1a5997064c43e5111861ac4e3bc40a55db6a39d6323c0b00ff26d113b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ls078BFBFF000306D2CE1374FC.tmp
Filesize
114KB

MD5
722daa9536720e1358dad18c4dcdf5b2

SHA1
657c1cfff6169d78e213e712481d5ce0c46e44e4

SHA256
dc0ec54293d20a9453594fb294900ebbb4c9353cee08c14a52a8a18b0c73cc66

SHA512
3b2bcec63bb683c6ee654dc917f7a604f2b699bfc84befc470539bef0f2ee334c37d86e53f99d94a704d62d6c33f22e850c3c5a51fb12b2b4bae263854a77c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempDataBase2024-01-29T01_09_23.2229780+00_001515
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempDataBase2024-01-29T01_09_23.3323590+00_001515
Filesize
288KB

MD5
e66d933e285c1df5c1a1dc2a42533306

SHA1
9744bfe28aceb46bc2f387d52b6833f4ecd79c15

SHA256
8a23da9513c1834922811f8b4f4379922101d0e6debac3926c5da01936d101bd

SHA512
bfd8b464672d86dc1ef136ed74452344471d6bd5561406a36a408b4eab8179b675d89471f8318e0b766fd85eac6768755cb7cc624b211f7bf5bfabbea8d331cb

Download Submit
memory/3156-0-0x000001D4BFD20000-0x000001D4BFEA2000-memory.dmp

Filesize
1.5MB

Download
memory/3156-1-0x00007FFEC3D10000-0x00007FFEC47D1000-memory.dmp

Filesize
10.8MB

Download
memory/3156-558-0x00007FFEC3D10000-0x00007FFEC47D1000-memory.dmp

Filesize
10.8MB

Download
memory/3156-627-0x000001D4DA3C0000-0x000001D4DA3D0000-memory.dmp

Filesize
64KB

Download
memory/3156-3-0x000001D4DA320000-0x000001D4DA396000-memory.dmp

Filesize
472KB

Download
memory/3156-2-0x000001D4DA3C0000-0x000001D4DA3D0000-memory.dmp

Filesize
64KB

Download
memory/3156-1537-0x00007FFEC3D10000-0x00007FFEC47D1000-memory.dmp

Filesize
10.8MB

Download