echelon | b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3 | Triage

Submit
Reports

Overview

overview

Static

static

3

fe7c134458...18.exe

windows7-x64

fe7c134458...18.exe

windows10-2004-x64

Sharing

General

Target

fe7c13445868482b63e1ae71bca9d150_JaffaCakes118
Size

1.5MB
Sample

240929-n6z3gatcrr
MD5

fe7c13445868482b63e1ae71bca9d150
SHA1

78111d52ba0215bb531d487bc6e9a218ea768377
SHA256

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3
SHA512

c1a2bc27e1381f6ed142ffb8a6cdb0006a9161433dbb9222f83ec407cf0bb5510f9986108b4e96c4a3d0dd30659cc48baec96b9ca962082c64c0fcbcc8c0879c
SSDEEP

24576:7fCMQaXIX9yF/x26XE1kQSEIRL3tEI0mhYBsULm075IKIG1Pj5+rWGAHP:7ozMP2kGkZBqIB0tIKIvr5AHP

Score

10^/10

echelon collection discovery spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe

Resource

win7-20240903-en

echelon discovery spyware stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe

Resource

win10v2004-20240802-en

echelon collection discovery spyware stealer

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  fe7c13445868482b63e1ae71bca9d150_JaffaCakes118
- Size
  
  1.5MB
- MD5
  
  fe7c13445868482b63e1ae71bca9d150
- SHA1
  
  78111d52ba0215bb531d487bc6e9a218ea768377
- SHA256
  
  b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3
- SHA512
  
  c1a2bc27e1381f6ed142ffb8a6cdb0006a9161433dbb9222f83ec407cf0bb5510f9986108b4e96c4a3d0dd30659cc48baec96b9ca962082c64c0fcbcc8c0879c
- SSDEEP
  
  24576:7fCMQaXIX9yF/x26XE1kQSEIRL3tEI0mhYBsULm075IKIG1Pj5+rWGAHP:7ozMP2kGkZBqIB0tIKIvr5AHP
Score

10^/10

echelon discovery spyware stealer collection
- Detects Echelon Stealer payload
- Echelon
  Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
  stealer spyware echelon
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

echelondiscoveryspywarestealer

behavioral2

echeloncollectiondiscoveryspywarestealer

© 2018-2024

Terms | Privacy