eternity | 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

General

Target

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
Size

62KB
MD5

c4b46a2d0898e9ba438366f878cd74bd
SHA1

f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512

ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Score

10^/10

eternity clipper suricata

Malware Config

Signatures

Detects Eternity clipper 5 IoCs

clipper

Processes:

resource	yara_rule
behavioral2/memory/2124-130-0x00000000006C0000-0x00000000006D6000-memory.dmp	eternity_clipper
behavioral2/files/0x0007000000022ed0-136.dat	eternity_clipper
behavioral2/files/0x0007000000022ed0-137.dat	eternity_clipper
behavioral2/files/0x0007000000022ed0-142.dat	eternity_clipper
behavioral2/files/0x0007000000022ed0-143.dat	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
suricata: ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)
suricata: ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)
suricata

Executes dropped EXE 3 IoCs

Processes:

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

pid	Process
4812	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
2316	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
1672	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
3460	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3880	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

pid	Process
4812	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

description	pid	Process
Token: SeDebugPrivilege	4812	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.execmd.exe

description	pid	Process	procid_target
PID 2124 wrote to memory of 4688	2124	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe	83
PID 2124 wrote to memory of 4688	2124	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe	83
PID 2124 wrote to memory of 4688	2124	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe	83
PID 4688 wrote to memory of 3292	4688	cmd.exe	85
PID 4688 wrote to memory of 3292	4688	cmd.exe	85
PID 4688 wrote to memory of 3292	4688	cmd.exe	85
PID 4688 wrote to memory of 3880	4688	cmd.exe	86
PID 4688 wrote to memory of 3880	4688	cmd.exe	86
PID 4688 wrote to memory of 3880	4688	cmd.exe	86
PID 4688 wrote to memory of 3460	4688	cmd.exe	89
PID 4688 wrote to memory of 3460	4688	cmd.exe	89
PID 4688 wrote to memory of 3460	4688	cmd.exe	89
PID 4688 wrote to memory of 4812	4688	cmd.exe	90
PID 4688 wrote to memory of 4812	4688	cmd.exe	90
PID 4688 wrote to memory of 4812	4688	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
"C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3460
- - C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
    "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:4812

C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
1⤵
- Executes dropped EXE
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Filesize
62KB

MD5
c4b46a2d0898e9ba438366f878cd74bd

SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62

SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Filesize
62KB

MD5
c4b46a2d0898e9ba438366f878cd74bd

SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62

SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Filesize
62KB

MD5
c4b46a2d0898e9ba438366f878cd74bd

SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62

SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Filesize
62KB

MD5
c4b46a2d0898e9ba438366f878cd74bd

SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62

SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Download Submit
memory/2124-130-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/3292-132-0x0000000000000000-mapping.dmp

Download
memory/3460-134-0x0000000000000000-mapping.dmp

Download
memory/3880-133-0x0000000000000000-mapping.dmp

Download
memory/4688-131-0x0000000000000000-mapping.dmp

Download
memory/4812-139-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/4812-140-0x0000000006110000-0x00000000066B4000-memory.dmp

Filesize
5.6MB

Download
memory/4812-141-0x0000000005F40000-0x0000000005F4A000-memory.dmp

Filesize
40KB

Download
memory/4812-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads