echelon | 5858a2b22cd3ebe442cab79eb456974313a4a3a2d91d99943046a644640f5020

Analysis

max time kernel
63s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape v4 crack by dea.exe
Size

1.0MB
MD5

a6ebc0f0c47859be4cf6979aef8282e0
SHA1

7566d5588d76ba3d800af3d60b49dd6ef589ea05
SHA256

5858a2b22cd3ebe442cab79eb456974313a4a3a2d91d99943046a644640f5020
SHA512

fd62d64f2ff0c05d733cfa80eeadb3375515ed0c3db912c3fd9eaccc4f5210e4b51ff6075b31fb7d4025305b4185d54a48fc58cfd999466077b26ba0e90a80a5
SSDEEP

24576:GfQYMfhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRF+G:9o54clgLH+tkWJ0Nj

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
10 ip-api.com
48 api.ipify.org
54 api.ipify.org
58 ip-api.com
1 api.ipify.org

flow	ioc
2	api.ipify.org
10	ip-api.com
48	api.ipify.org
54	api.ipify.org
58	ip-api.com
1	api.ipify.org

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Vape v4 crack by dea.exeVape v4 crack by dea.exe

pid	process
1184	Vape v4 crack by dea.exe
1184	Vape v4 crack by dea.exe
1184	Vape v4 crack by dea.exe
1124	Vape v4 crack by dea.exe
1124	Vape v4 crack by dea.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Vape v4 crack by dea.exeVape v4 crack by dea.exe

description pid process

Token: SeDebugPrivilege 1184 Vape v4 crack by dea.exe
Token: SeDebugPrivilege 1124 Vape v4 crack by dea.exe

description	pid	process
Token: SeDebugPrivilege	1184	Vape v4 crack by dea.exe
Token: SeDebugPrivilege	1124	Vape v4 crack by dea.exe

C:\Users\Admin\AppData\Local\Temp\Vape v4 crack by dea.exe
"C:\Users\Admin\AppData\Local\Temp\Vape v4 crack by dea.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5980 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3548

C:\Users\Admin\Desktop\Vape v4 crack by dea.exe
"C:\Users\Admin\Desktop\Vape v4 crack by dea.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Users\Admin\Desktop\Vape v4 crack by dea.exe
"C:\Users\Admin\Desktop\Vape v4 crack by dea.exe"
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Vape v4 crack by dea.exe.log

Filesize
2KB

MD5
7cf5d0683d9683b0c765125aa4b85bd9

SHA1
1281e67658d4d52df87f97e3ba91e08b91d8579a

SHA256
ee3b5b05f6197712e993be6a37c2f335f9e5809650d15f8b0a55f456370424be

SHA512
b94b101ac6574215aa652b692956fb9df1aef39dd564a9a08f1ac49def5836aa13138ccae5c96008c4adc7f8e4d0401000eeb32503799c53923e3761811c28dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJHPFNV078BFBFF000306D2A4B55DEC35\35078BFBFF000306D2A4B55DECBJHPFNV\Screenshot.Jpeg

Filesize
149KB

MD5
5cb2a0cf501d83c023a53564254aea08

SHA1
2910a1c2afac083281b477c90f7ab2d88687be69

SHA256
23c71a5662a23e81863a5d2d22fcb4b28e72a956c07e49d5b879f9158c611c57

SHA512
e6b0d0ea94363ea1443ba2dbfbd42e8e0208d8ee8ce1b4334e26196417469591052b2e9ea8595871a33595fa606ce12e4924d1a24d14222c47563650078b24b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D2A4B55DEC.tmp

Filesize
92KB

MD5
4c2e2189b87f507edc2e72d7d55583a0

SHA1
1f06e340f76d41ea0d1e8560acd380a901b2a5bd

SHA256
99a5f8dea08b5cf512ed888b3e533cc77c08dc644078793dc870abd8828c1bca

SHA512
8b6b49e55afe8a697aaf71d975fab9e906143339827f75a57876a540d0d7b9e3cbbcdd8b5435d6198900a73895cc52d2082e66ee8cec342e72f2e427dde71600

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D2A4B55DEC.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D2A4B55DEC.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D2A4B55DEC.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ls078BFBFF000306D2A4B55DEC.tmp

Filesize
128KB

MD5
a4636a0bf1239fb66d9c27fe307ccc93

SHA1
f3437c40d679376d341510d7ceb06203ee623ee6

SHA256
ad4208423ee766f59983daf12c5a081972d9f766e8663e2dd6bf884ec9053856

SHA512
a72b7965029349501ef7f3afab69f8ed08df1068de37fed6d3134ab18242750ca79d89da4a24c42ab57f4f3bffc50815013deecd76f6297ccef4f34b1c556ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempDataBase2024-06-28T23_01_44.4276012+00_001313

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempDataBase2024-06-28T23_01_44.7404160+00_001313

Filesize
288KB

MD5
0412d4f1fbbc8a52195c0dd0c4526eb5

SHA1
8e3c27b0d10adf47213956a1b53a30488017a948

SHA256
e3e09a94b9254c4f8f1b0d17f07b14a4e3df56eb70f32b2ed72673c72430e190

SHA512
957faf91c2fcb46f7503e1046f45707a678d0b6eb15ad045f93030a0694eea79081e37e440a2e704ec1cc6cd946d6d3b7e4e897914d133fe551d7cfe42df88a6

Download Submit
C:\Users\Admin\AppData\Roaming\BPTVDRwNFyTHuV078BFBFF000306D2A4B55DEC61\61078BFBFF000306D2A4B55DECBPTVDRwNFyTHuV\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
memory/1124-142-0x00007FF97A670000-0x00007FF97B131000-memory.dmp

Filesize
10.8MB

Download
memory/1124-75-0x00007FF97A670000-0x00007FF97B131000-memory.dmp

Filesize
10.8MB

Download
memory/1184-73-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

Filesize
10.8MB

Download
memory/1184-0-0x00007FF97B673000-0x00007FF97B675000-memory.dmp

Filesize
8KB

Download
memory/1184-2-0x0000017339FE0000-0x000001733A056000-memory.dmp

Filesize
472KB

Download
memory/1184-3-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

Filesize
10.8MB

Download
memory/1184-72-0x000001733AB50000-0x000001733AC52000-memory.dmp

Filesize
1.0MB

Download
memory/1184-47-0x000001733AB50000-0x000001733AC52000-memory.dmp

Filesize
1.0MB

Download
memory/1184-1-0x000001731F920000-0x000001731FA2A000-memory.dmp

Filesize
1.0MB

Download