eternity | 0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4

Analysis

max time kernel
144s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-05-2022 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe
Size

1.4MB
MD5

a79ff5d8771b2bca9c7044d5b50a95ed
SHA1

ed821db96f236709549444a57a1fdf1280400cc4
SHA256

0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4
SHA512

23fc1ec4da678188f2ba75122198aae73052b1df87e2e6431f7fdb0d31781a1fc1e89f9e3d08adc1d137b998e43863b7399d54dc178d3910df48fcbe8460c05e

Score

10^/10

eternity spyware stealer worm

Malware Config

Signatures

Detects Eternity worm 11 IoCs

worm

resource	yara_rule
behavioral1/files/0x0008000000015c46-61.dat	eternity_worm
behavioral1/files/0x0008000000015c46-59.dat	eternity_worm
behavioral1/files/0x0008000000015c46-62.dat	eternity_worm
behavioral1/memory/1256-63-0x0000000000A00000-0x0000000000B56000-memory.dmp	eternity_worm
behavioral1/files/0x0007000000015ca6-69.dat	eternity_worm
behavioral1/files/0x0007000000015ca6-70.dat	eternity_worm
behavioral1/files/0x0007000000015ca6-72.dat	eternity_worm
behavioral1/memory/1560-73-0x0000000001200000-0x0000000001356000-memory.dmp	eternity_worm
behavioral1/files/0x0007000000015ca6-76.dat	eternity_worm
behavioral1/files/0x0007000000015ca6-78.dat	eternity_worm
behavioral1/memory/624-79-0x0000000001200000-0x0000000001356000-memory.dmp	eternity_worm

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 4 IoCs

pid	Process
1256	BNAGMGSPLO.exe
1560	BNAGMGSPLO.exe
1924	BNAGMGSPLO.exe
624	BNAGMGSPLO.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe
868	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1576	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1068	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1236	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1236	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	BNAGMGSPLO.exe
Token: SeDebugPrivilege	624	BNAGMGSPLO.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe
1236	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1236	vlc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1236	1868	0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe	26
PID 1868 wrote to memory of 1236	1868	0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe	26
PID 1868 wrote to memory of 1236	1868	0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe	26
PID 1868 wrote to memory of 1236	1868	0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe	26
PID 1868 wrote to memory of 1256	1868	0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe	27
PID 1868 wrote to memory of 1256	1868	0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe	27
PID 1868 wrote to memory of 1256	1868	0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe	27
PID 1868 wrote to memory of 1256	1868	0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe	27
PID 1256 wrote to memory of 868	1256	BNAGMGSPLO.exe	28
PID 1256 wrote to memory of 868	1256	BNAGMGSPLO.exe	28
PID 1256 wrote to memory of 868	1256	BNAGMGSPLO.exe	28
PID 1256 wrote to memory of 868	1256	BNAGMGSPLO.exe	28
PID 868 wrote to memory of 1004	868	cmd.exe	30
PID 868 wrote to memory of 1004	868	cmd.exe	30
PID 868 wrote to memory of 1004	868	cmd.exe	30
PID 868 wrote to memory of 1004	868	cmd.exe	30
PID 868 wrote to memory of 1068	868	cmd.exe	31
PID 868 wrote to memory of 1068	868	cmd.exe	31
PID 868 wrote to memory of 1068	868	cmd.exe	31
PID 868 wrote to memory of 1068	868	cmd.exe	31
PID 868 wrote to memory of 1576	868	cmd.exe	32
PID 868 wrote to memory of 1576	868	cmd.exe	32
PID 868 wrote to memory of 1576	868	cmd.exe	32
PID 868 wrote to memory of 1576	868	cmd.exe	32
PID 868 wrote to memory of 1560	868	cmd.exe	33
PID 868 wrote to memory of 1560	868	cmd.exe	33
PID 868 wrote to memory of 1560	868	cmd.exe	33
PID 868 wrote to memory of 1560	868	cmd.exe	33
PID 268 wrote to memory of 1924	268	taskeng.exe	35
PID 268 wrote to memory of 1924	268	taskeng.exe	35
PID 268 wrote to memory of 1924	268	taskeng.exe	35
PID 268 wrote to memory of 1924	268	taskeng.exe	35
PID 268 wrote to memory of 624	268	taskeng.exe	36
PID 268 wrote to memory of 624	268	taskeng.exe	36
PID 268 wrote to memory of 624	268	taskeng.exe	36
PID 268 wrote to memory of 624	268	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe
"C:\Users\Admin\AppData\Local\Temp\0028f5c899747c7800de3f520c7dd7937e6b14c321041e16d0fe8be95fafe4f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\BNAGMGSPLO.mp3"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\BNAGMGSPLO.exe
  "C:\Users\Admin\AppData\Local\Temp\BNAGMGSPLO.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "BNAGMGSPLO" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\BNAGMGSPLO.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1004
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1068
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "BNAGMGSPLO" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1576
  - - C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1560

C:\Windows\system32\taskeng.exe
taskeng.exe {C300FA1B-F29F-4E42-AF29-2D248C0E64CB} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:268
- C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe
  C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe
  C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BNAGMGSPLO.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BNAGMGSPLO.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BNAGMGSPLO.mp3

Filesize
1KB

MD5
5f97b24d9f05fa0379f5e540da8a05b0

SHA1
d4e1a893efd370529484b46ee2f40595842c849e

SHA256
58c103c227966ec93d19ab5d797e1f16e33dcf2de83fa9e63e930c399e2ad396

SHA512
a175fdfc82d79343cd764c69cd6ba6b2305424223768eab081ad7741aa177d44a4e6927190ad156d5641aae143d755164b07cb0bbc9aa856c4772376112b4b24

Download Submit
\Users\Admin\AppData\Local\ServiceHub\BNAGMGSPLO.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
\Users\Admin\AppData\Local\Temp\BNAGMGSPLO.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
memory/624-79-0x0000000001200000-0x0000000001356000-memory.dmp

Filesize
1.3MB

Download
memory/1236-57-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/1256-63-0x0000000000A00000-0x0000000000B56000-memory.dmp

Filesize
1.3MB

Download
memory/1560-73-0x0000000001200000-0x0000000001356000-memory.dmp

Filesize
1.3MB

Download
memory/1868-54-0x0000000001060000-0x00000000011C4000-memory.dmp

Filesize
1.4MB

Download
memory/1868-55-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads