Analysis
-
max time kernel
35s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 19:36
Behavioral task
behavioral1
Sample
Echelon.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
60 seconds
Behavioral task
behavioral2
Sample
Echelon.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
60 seconds
General
-
Target
Echelon.exe
-
Size
778KB
-
MD5
76af6669d9635ffe4fdbf97af1a57fa6
-
SHA1
d3cba94b74f67e8d98cfa89209748ea2701bef80
-
SHA256
cab5dcf0af0ee68bc7113ab59e08ef43f2a62c8538afb2d96e154fc6fd19b9f0
-
SHA512
11fc1464800a4481865649cd71815f8d5be79d28bf36e6d56ffac65ce9564e346b22f73e8f0404efba5687e2291a4530f4ff125e580b2f62ec377a2c2bf743e7
-
SSDEEP
24576:9FYpeHEsokNLQyhFoVdJOlc8msV0EWRr:6ASumJmc8mW0d
Score
10/10
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral2/memory/1836-1-0x000001A2561A0000-0x000001A256268000-memory.dmp family_echelon -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 5 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1836 Echelon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1836 Echelon.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe