eternity | 01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef

General

Target

01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe
Size

882KB
MD5

4a8170905bbb4607bdaf7cb186e8b4f8
SHA1

172a2297a2b226c372b92ac2d07058417a71dd6c
SHA256

01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef
SHA512

9d2acd7cb59d78e8ccffa8264bca58a9574bb2c0f23a15137355457fe971f79c927dcebc83fb77ab277881977bf523ca98038cda57ad255409b71914672aff74

Score

10^/10

eternity spyware stealer suricata

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3348-130-0x00000000001A0000-0x0000000000284000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
suricata: ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)
suricata: ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)
suricata
suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)
suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)
suricata
suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)
suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)
suricata
Executes dropped EXE 1 IoCs

Processes:

dcd.exe

pid process

768 dcd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1624 3348 WerFault.exe 01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe

description pid process

Token: SeDebugPrivilege 3348 01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe

pid	process
768	dcd.exe

pid	pid_target	process	target process
1624	3348	WerFault.exe	01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe

description	pid	process
Token: SeDebugPrivilege	3348	01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe

description	pid	process	target process
PID 3348 wrote to memory of 768	3348	01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe	dcd.exe
PID 3348 wrote to memory of 768	3348	01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe	dcd.exe
PID 3348 wrote to memory of 768	3348	01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe	dcd.exe

C:\Users\Admin\AppData\Local\Temp\01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe
"C:\Users\Admin\AppData\Local\Temp\01f0f1f0ee4153c62a5d538217c9e4b5e714c67a6eb68d9c17ab595a0a658fef.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3348 -s 1860
  2⤵
  - Program crash
  PID:1624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3348 -ip 3348
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
memory/768-133-0x0000000000000000-mapping.dmp

Download
memory/3348-130-0x00000000001A0000-0x0000000000284000-memory.dmp

Filesize
912KB

Download
memory/3348-131-0x00007FFD42660000-0x00007FFD43121000-memory.dmp

Filesize
10.8MB

Download
memory/3348-132-0x0000000000A00000-0x0000000000A50000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing