echelon | c3a19079975435934b29b6240b39aea2c5695657cbec4d5e27d862edf1c61c7a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6ca1276e7b7d3cb2b80c923344d224c.exe
Size

1.0MB
MD5

d6ca1276e7b7d3cb2b80c923344d224c
SHA1

aba6992aff5b194d04b003bfeeca7bb4ff7c94e3
SHA256

c3a19079975435934b29b6240b39aea2c5695657cbec4d5e27d862edf1c61c7a
SHA512

727ef205904c12df9b4b85323f54913f07fde65f4cd715ecdb6345ba65fd6be0b0b95e89759036f9a0c90ba4c17616c25707996f0aed93d57970c84b240056e5
SSDEEP

24576:tjE5uYGhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRyE:1o54clgLH+tkWJ0N9

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4256-0-0x0000000000170000-0x0000000000276000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 api.ipify.org
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d6ca1276e7b7d3cb2b80c923344d224c.exe

pid process

4256 d6ca1276e7b7d3cb2b80c923344d224c.exe
4256 d6ca1276e7b7d3cb2b80c923344d224c.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d6ca1276e7b7d3cb2b80c923344d224c.exe

description pid process

Token: SeDebugPrivilege 4256 d6ca1276e7b7d3cb2b80c923344d224c.exe

flow	ioc
6	api.ipify.org
7	api.ipify.org

pid	process
4256	d6ca1276e7b7d3cb2b80c923344d224c.exe
4256	d6ca1276e7b7d3cb2b80c923344d224c.exe

description	pid	process
Token: SeDebugPrivilege	4256	d6ca1276e7b7d3cb2b80c923344d224c.exe

C:\Users\Admin\AppData\Local\Temp\d6ca1276e7b7d3cb2b80c923344d224c.exe
"C:\Users\Admin\AppData\Local\Temp\d6ca1276e7b7d3cb2b80c923344d224c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZRVwVuZZZH078BFBFF000306D266EA2EA947\47078BFBFF000306D266EA2EA9ZRVwVuZZZH\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRVwVuZZZH078BFBFF000306D266EA2EA947\47078BFBFF000306D266EA2EA9ZRVwVuZZZH\Grabber\OptimizeMeasure.png

Filesize
1.2MB

MD5
9ac0b1667701a0a15f6d5b5997c99418

SHA1
c941af4b201a9e22f3388e3ac535a24f952a8297

SHA256
5d7d313d9077785ba840847ce86954057dba848a0864ab76771a690124dea4fd

SHA512
10fb62ce98f4ccd65c694111ff2eeb3adb1eddd500b00ba2a2f6cdb3fd3a3edb3bd9d57ce1578efeabb8f70fc36ab9094767d1fdf7aff27b828a14d5d40fadd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRVwVuZZZH078BFBFF000306D266EA2EA947\47078BFBFF000306D266EA2EA9ZRVwVuZZZH\Grabber\SyncBackup.jpg

Filesize
609KB

MD5
84f66137c8936023361719b8fd430c5e

SHA1
6f1d46f35e345d872ae75ec15389562884472b89

SHA256
a334d989577ee35473cae020cbbbc348bf79bc6861704246435dd697daf32556

SHA512
3eb7b2c0c8edf2a84f6d84afca2041a5f5f36ff154709f7ca9512c3c0c6542f96518511cbfe1739a62f5560c9838e7e91f8680334e74c7737161949e5e9a9583

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRVwVuZZZH078BFBFF000306D266EA2EA947\47078BFBFF000306D266EA2EA9ZRVwVuZZZH\Grabber\TraceCopy.txt

Filesize
420KB

MD5
0a8a0be04e226e30275a6449dbcd6077

SHA1
d13a559ceeacc9ed442f4bbf7bc025edc90ceed9

SHA256
41ef8f41a526be3d1c307f555d1ab9d29423536d4ddf44eac6cb2ddef3599894

SHA512
7b5af3d129868c71974893ed1f84da4a010471183e2b0436162b870484b6c9689dde910694e896804717e076b128447c840c5c3e574aae23342f68d613f78260

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRVwVuZZZH078BFBFF000306D266EA2EA947\47078BFBFF000306D266EA2EA9ZRVwVuZZZH\Grabber\UnblockConfirm.cfg

Filesize
528KB

MD5
e3562fe85dcbcbbb8d4accf19e95c7a4

SHA1
452d0075e03ba14790827520b21b7d72e627c92f

SHA256
743b345dbba72450491de2268487a6ab683eb1215437ac6b8dfa7ce3dd4d2f15

SHA512
7726bee7bc0f75c994ee8bdd2f57ff8771653667a682815eb9ab7d2f9db3ebb70672637b77567b834099ccb3899438d7a04069e8b3d9e5405f4987d8fe189b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRVwVuZZZH078BFBFF000306D266EA2EA947\47078BFBFF000306D266EA2EA9ZRVwVuZZZH\Grabber\UninstallOptimize.txt

Filesize
626KB

MD5
3c9ca95aed2a18c4ca454b59da376013

SHA1
ddd0225655bb91832b417f408de89a2f608f68a7

SHA256
d6dffc590ac2242114441db1b5b415889f1b085f14719a296c342fdf92f87b67

SHA512
0935f7f978341ebe8d32ebc450c1fe3f67859d6b060c0294676a327d44cecb8f04ecbfe4401e6242630da818ab314bd50849df836a1aee2dee458b59984e7f70

Download Submit
memory/4256-0-0x0000000000170000-0x0000000000276000-memory.dmp

Filesize
1.0MB

Download
memory/4256-1-0x00007FFCA6780000-0x00007FFCA7241000-memory.dmp

Filesize
10.8MB

Download
memory/4256-3-0x000000001BFA0000-0x000000001BFB0000-memory.dmp

Filesize
64KB

Download
memory/4256-2-0x000000001BE50000-0x000000001BEC6000-memory.dmp

Filesize
472KB

Download
memory/4256-101-0x00007FFCA6780000-0x00007FFCA7241000-memory.dmp

Filesize
10.8MB

Download