echelon | 77189b22dfb8238a4837f95e3283150bca8105d618cc421cde8170644bcf878b

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c58af9384d71e33bae1d8a032d9e7b19.exe
Size

4.0MB
MD5

c58af9384d71e33bae1d8a032d9e7b19
SHA1

15bd308104a7b2d05ba9fd03b3a4c5410afabc56
SHA256

77189b22dfb8238a4837f95e3283150bca8105d618cc421cde8170644bcf878b
SHA512

ac80eb00dcf2aec8a56e071281030b9c3ec57460b2a2c59b8db43ce51a60465a419ed1e5f887d7e2d8b41c0aaca226244bb52e7c72cccf44f477fcdad03aa3e8
SSDEEP

49152:PSzzgkLJWvg/RdFy7/QhWwALywBDyVt4kWzzwskrk4NZXuMk6o9ufAXV4AK:

Score

10^/10

echelon zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4844-108-0x0000000004C60000-0x0000000004CFC000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-113-0x0000000004B90000-0x0000000004C2A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-115-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-114-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-117-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-119-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-121-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-123-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-127-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-125-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-129-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-131-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-133-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-139-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-137-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-135-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-141-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-143-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-145-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-147-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-149-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-151-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-153-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-157-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-155-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-159-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-161-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-163-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-165-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-167-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-169-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-171-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-173-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-177-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-175-0x0000000004B90000-0x0000000004C24000-memory.dmp	family_zgrat_v1

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000300000002276c-5.dat	family_echelon
behavioral2/memory/1588-7-0x00000000007B0000-0x0000000000934000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinNetcommon.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	WinNetcommon.exe

Executes dropped EXE 2 IoCs

Processes:

WinNetcommon.exeDecoder.exe

pid	Process
1588	WinNetcommon.exe
4844	Decoder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
25	api.ipify.org
26	api.ipify.org
43	ip-api.com
53	freegeoip.app
54	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Decoder.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Decoder.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Decoder.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1428	timeout.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

WinNetcommon.exeDecoder.exe

pid	Process
1588	WinNetcommon.exe
1588	WinNetcommon.exe
1588	WinNetcommon.exe
4844	Decoder.exe
4844	Decoder.exe
4844	Decoder.exe
4844	Decoder.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WinNetcommon.exeDecoder.exe

description	pid	Process
Token: SeDebugPrivilege	1588	WinNetcommon.exe
Token: SeDebugPrivilege	4844	Decoder.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c58af9384d71e33bae1d8a032d9e7b19.exeWinNetcommon.execmd.exe

description	pid	Process	procid_target
PID 4996 wrote to memory of 1588	4996	c58af9384d71e33bae1d8a032d9e7b19.exe	91
PID 4996 wrote to memory of 1588	4996	c58af9384d71e33bae1d8a032d9e7b19.exe	91
PID 1588 wrote to memory of 4844	1588	WinNetcommon.exe	97
PID 1588 wrote to memory of 4844	1588	WinNetcommon.exe	97
PID 1588 wrote to memory of 4844	1588	WinNetcommon.exe	97
PID 1588 wrote to memory of 3668	1588	WinNetcommon.exe	98
PID 1588 wrote to memory of 3668	1588	WinNetcommon.exe	98
PID 3668 wrote to memory of 1428	3668	cmd.exe	100
PID 3668 wrote to memory of 1428	3668	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\c58af9384d71e33bae1d8a032d9e7b19.exe
"C:\Users\Admin\AppData\Local\Temp\c58af9384d71e33bae1d8a032d9e7b19.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Roaming\WinNetcommon\WinNetcommon.exe
  "C:\Users\Admin\AppData\Roaming\WinNetcommon\WinNetcommon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\ProgramData\Decoder.exe
    "C:\ProgramData\Decoder.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\system32\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

Filesize
490KB

MD5
c29c0d495ed13e703f433d53bdffdab8

SHA1
74ed36e6b6027b61abcfe2956670ffd9de7fd71a

SHA256
20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b

SHA512
fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

Download Submit
C:\Users\Admin\AppData\Local\ScallyMilano\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\ScallyMilano\ProcessList.txt

Filesize
432B

MD5
74e0ad8adc4896dd5c06570450adbc64

SHA1
95e70ac93a5671fea7efb07ac35557853cae1dbc

SHA256
f04f36f2405143e4129f571fc65df6b1edcd155fdc19d2f50f04634156114b8c

SHA512
2885098dc561f71077c41ee164e1d4ad0d721d248f0cb6de9669c7880a254444d08ab6655e3197713439f28bb2d6bcf19bec960de83c3159e0d6626fe872fc90

Download Submit
C:\Users\Admin\AppData\Local\ScallyMilano\ProcessList.txt

Filesize
766B

MD5
1802dc7f3c00fb07044632c5ab24802b

SHA1
27d0129817c4160c5e5493dc1d7ecd163728d7ed

SHA256
327b5f94078d9f2e58ae0a49eff9131dc707b1e2c728d231119f1c44fd3a87a7

SHA512
6034389bb593691fff9839118610b173af7388065031978bd93c5ea189cf26eda98e4455ac9cdb6b5be16f2b66a7216506af3a1c0790df156ea2395df075ebb5

Download Submit
C:\Users\Admin\AppData\Local\ScallyMilano\ProcessList.txt

Filesize
844B

MD5
654b6bd8e21c1e3e359cb36950eab779

SHA1
56e40e8663af443f77fa285250ae07a47c5f5e30

SHA256
216e044a62bf77c83121a306a24ddb6680446fa054defd71b318b7dac6f80d07

SHA512
b8d3d06177c5ce65abed28617a68fee212cd0e20114928474625a9e7186c5a31648a131be31dee0fcaab50957be705141ab764dd82ef7fae189d138a9492fc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
85B

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp88B8.tmp.dat

Filesize
92KB

MD5
d8258cfea30050e289acf9aa882159f2

SHA1
26acf382025e2880308c3cb82ee11b935f52d6fa

SHA256
97f3a97af8aad5da47509b3b5639b85c82f5b67fb34193ef409c9bb84c2e334b

SHA512
caa184c63653b9b8be5b76833be8caf40d8a6804cc26b329d955e5b59e5cf75c0e9e654f5e4fef9fdb76536f43fe3d9a4017a3446f0610d6df61f3737f44a74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp88C9.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\yLRuwPPJXyTVTNNTXPXuPRPy078BFBFF000306D20C3638F892\92078BFBFF000306D20C3638F8yLRuwPPJXyTVTNNTXPXuPRPy\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Roaming\WinNetcommon\WinNetcommon.exe

Filesize
1.5MB

MD5
ad2f6dd54f8a52708148b9fe50f7ede9

SHA1
20b3284ad569811a6f28a39a92b6da61d2713079

SHA256
59c3fc7329bf3f09b892d86419da8d1872dc2262683ec45b348a1c27993133b0

SHA512
7f2c297b294a20edf52e63eaf7311883295b6bd5c6cd14e839ba8174dabcb353df4536976ba680f647311cfc86f6952f82a0508a6b6dbfe03fbdac7a7e3b57af

Download Submit
memory/1588-9-0x000000001B630000-0x000000001B640000-memory.dmp

Filesize
64KB

Download
memory/1588-105-0x00007FFFCCF50000-0x00007FFFCDA11000-memory.dmp

Filesize
10.8MB

Download
memory/1588-10-0x000000001BC40000-0x000000001BCB6000-memory.dmp

Filesize
472KB

Download
memory/1588-7-0x00000000007B0000-0x0000000000934000-memory.dmp

Filesize
1.5MB

Download
memory/1588-8-0x00007FFFCCF50000-0x00007FFFCDA11000-memory.dmp

Filesize
10.8MB

Download
memory/4844-145-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-161-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-113-0x0000000004B90000-0x0000000004C2A000-memory.dmp

Filesize
616KB

Download
memory/4844-115-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-114-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-117-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-119-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-121-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-123-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-127-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-125-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-129-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-131-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-133-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-139-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-137-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-135-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-141-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-143-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-111-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4844-147-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-149-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-151-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-153-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-157-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-155-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-159-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-112-0x0000000004D00000-0x00000000052A4000-memory.dmp

Filesize
5.6MB

Download
memory/4844-163-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-165-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-167-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-169-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-171-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-173-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-177-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-175-0x0000000004B90000-0x0000000004C24000-memory.dmp

Filesize
592KB

Download
memory/4844-562-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4844-110-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4844-109-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4844-108-0x0000000004C60000-0x0000000004CFC000-memory.dmp

Filesize
624KB

Download
memory/4844-595-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/4844-107-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-713-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-710-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4844-690-0x00000000072A0000-0x0000000007306000-memory.dmp

Filesize
408KB

Download
memory/4844-694-0x00000000056E0000-0x0000000005756000-memory.dmp

Filesize
472KB

Download
memory/4844-707-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-708-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4844-709-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4996-0-0x0000000000020000-0x0000000000420000-memory.dmp

Filesize
4.0MB

Download
memory/4996-1-0x00007FFFCCF50000-0x00007FFFCDA11000-memory.dmp

Filesize
10.8MB

Download
memory/4996-2-0x000000001AFF0000-0x000000001B000000-memory.dmp

Filesize
64KB

Download
memory/4996-12-0x00007FFFCCF50000-0x00007FFFCDA11000-memory.dmp

Filesize
10.8MB

Download