echelon | 6e7df11f016b14bd88995dcf0ebeb30ffc1d33b08ebbc0aa26476232f6bc9db3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c75d07d3055f80498c650e6d9e1c6039.exe
Size

1.0MB
MD5

c75d07d3055f80498c650e6d9e1c6039
SHA1

a29b57770ee0ae312ec0773765e1fceff5203104
SHA256

6e7df11f016b14bd88995dcf0ebeb30ffc1d33b08ebbc0aa26476232f6bc9db3
SHA512

b24c0a6b3101c22eefe1f8eb0ead444c3ba49d3bc8ec2ae95ef5d97be2c17986bd57bbf207e12163a37416332a2f253c59fa33b1229a14985fd844729ffa9af3
SSDEEP

24576:hfQYosxhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRt+Gu:/o54clgLH+tkWJ0Nbu

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
8	api.ipify.org
9	api.ipify.org
21	ip-api.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c75d07d3055f80498c650e6d9e1c6039.exe

pid	Process
408	c75d07d3055f80498c650e6d9e1c6039.exe
408	c75d07d3055f80498c650e6d9e1c6039.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c75d07d3055f80498c650e6d9e1c6039.exe

description	pid	Process
Token: SeDebugPrivilege	408	c75d07d3055f80498c650e6d9e1c6039.exe

C:\Users\Admin\AppData\Local\Temp\c75d07d3055f80498c650e6d9e1c6039.exe
"C:\Users\Admin\AppData\Local\Temp\c75d07d3055f80498c650e6d9e1c6039.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\yFwPHyPZHTFRXyuZTRuDXVHPV078BFBFF000306D2E094E7CA96\96078BFBFF000306D2E094E7CAyFwPHyPZHTFRXyuZTRuDXVHPV\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Roaming\yFwPHyPZHTFRXyuZTRuDXVHPV078BFBFF000306D2E094E7CA96\96078BFBFF000306D2E094E7CAyFwPHyPZHTFRXyuZTRuDXVHPV\Grabber\OptimizeFind.doc

Filesize
720KB

MD5
4d23af2e3fbb7f15a87281abbc60db08

SHA1
3b7647190527010c039c3a795898dab3064adc47

SHA256
46917d2452b564f1fca0f27ecfb62e68f75dd5a3c31afaa1fb9a291500c2936a

SHA512
7265d3dd5ba88ca5148916914a745327ee4875c347d4119a23c56136465934ee9100c8a6a13415dbb73d38a4ed80e189930834235d80820f05a7fb6bffa9093a

Download Submit
memory/408-0-0x00000275F3B70000-0x00000275F3C7A000-memory.dmp

Filesize
1.0MB

Download
memory/408-1-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/408-3-0x00000275F6220000-0x00000275F6296000-memory.dmp

Filesize
472KB

Download
memory/408-2-0x00000275F6210000-0x00000275F6220000-memory.dmp

Filesize
64KB

Download
memory/408-77-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download