eternity | 01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6

General

Target

01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe
Size

1.6MB
MD5

51f680c87f810a25cb8d9f4a217156b6
SHA1

a9cd1c857692aa49dfa9fc93cde2204002326d31
SHA256

01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6
SHA512

f7a723641bb65eb4763784da1c2c36d9b0ae07cc7241eb9ef816e20308cfbd1ee77780503768d5784f90a1bc387c09271ccf98fbee0bc8fec2ac9c5b20563c7d

Score

10^/10

eternity spyware stealer suricata

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1668-54-0x0000000000A80000-0x0000000000C1C000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
suricata: ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)
suricata: ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)
suricata
suricata: ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)
suricata: ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)
suricata
suricata: ET MALWARE Win32/Eternity Stealer Activity (POST)
suricata: ET MALWARE Win32/Eternity Stealer Activity (POST)
suricata
suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)
suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)
suricata
suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)
suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)
suricata
Drops file in Drivers directory 1 IoCs

Processes:

SmotaProxy_v1.1.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts SmotaProxy_v1.1.exe
Executes dropped EXE 2 IoCs

Processes:

SmotaProxy_v1.1.exedcd.exe

pid process

2044 SmotaProxy_v1.1.exe
268 dcd.exe
Loads dropped DLL 1 IoCs

Processes:

01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

pid process

1668 01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

568 1668 WerFault.exe 01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SmotaProxy_v1.1.exe

pid	process
2044	SmotaProxy_v1.1.exe
268	dcd.exe

pid	process
1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

pid	pid_target	process	target process
568	1668	WerFault.exe	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

description pid process

Token: SeDebugPrivilege 1668 01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

description	pid	process
Token: SeDebugPrivilege	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

description	pid	process	target process
PID 1668 wrote to memory of 2044	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe	SmotaProxy_v1.1.exe
PID 1668 wrote to memory of 2044	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe	SmotaProxy_v1.1.exe
PID 1668 wrote to memory of 2044	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe	SmotaProxy_v1.1.exe
PID 1668 wrote to memory of 268	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe	dcd.exe
PID 1668 wrote to memory of 268	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe	dcd.exe
PID 1668 wrote to memory of 268	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe	dcd.exe
PID 1668 wrote to memory of 268	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe	dcd.exe
PID 1668 wrote to memory of 568	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe	WerFault.exe
PID 1668 wrote to memory of 568	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe	WerFault.exe
PID 1668 wrote to memory of 568	1668	01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe
"C:\Users\Admin\AppData\Local\Temp\01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\3vo1xfbv.ca4\SmotaProxy_v1.1.exe
  "C:\Users\Admin\AppData\Local\Temp\3vo1xfbv.ca4\SmotaProxy_v1.1.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1668 -s 1888
  2⤵
  - Program crash
  PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3vo1xfbv.ca4\SmotaProxy_v1.1.exe

Filesize
367KB

MD5
c305f6bfc6eb098e6831479181e01dc4

SHA1
74afedfd0f083d237a6a22470515adf8b50c089d

SHA256
40fc3e9e4e2b3f191e11de34dd6b135b7ef0da85b35b206a90f12fed240d71e7

SHA512
64634d629816ab39f9c08daea3da296e6fcee4b24210f70e05aa44586b19ce445758bb43e470567fc7d691c0dd202b1804e8524fe7a27ec62cca1fd0f91baf19

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
\Users\Admin\AppData\Local\Temp\3vo1xfbv.ca4\SmotaProxy_v1.1.exe

Filesize
367KB

MD5
c305f6bfc6eb098e6831479181e01dc4

SHA1
74afedfd0f083d237a6a22470515adf8b50c089d

SHA256
40fc3e9e4e2b3f191e11de34dd6b135b7ef0da85b35b206a90f12fed240d71e7

SHA512
64634d629816ab39f9c08daea3da296e6fcee4b24210f70e05aa44586b19ce445758bb43e470567fc7d691c0dd202b1804e8524fe7a27ec62cca1fd0f91baf19

Download Submit
memory/268-60-0x0000000000000000-mapping.dmp

Download
memory/568-62-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000000A80000-0x0000000000C1C000-memory.dmp

Filesize
1.6MB

Download
memory/1668-55-0x000000001AD30000-0x000000001ADCA000-memory.dmp

Filesize
616KB

Download
memory/1668-56-0x000000001B166000-0x000000001B185000-memory.dmp

Filesize
124KB

Download
memory/2044-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads