eternity

General

Target

3e3cae5883fb1aa3b277cdc2f030267828f9635830d77208a7bed268e3291bea
Size

5.9MB
Sample

220725-199sasehc9
MD5

dff18091ee3be9ef3f0858bfd3f8f556
SHA1

ed75001a1a9751cbb1cd782feae9aad2f959a910
SHA256

3e3cae5883fb1aa3b277cdc2f030267828f9635830d77208a7bed268e3291bea
SHA512

0005d30043d8a3d6d14801749ed5a021aaf1c24e436613d65ec0939376fa59d74cc58d58c6067a46eb700bb811d1eaed95c56891c0ac7bb5da2d561e20987d92

Score

10^/10

eternity redline 4 @tag12312341 nam3 vukong collection discovery infostealer persistence spyware stealer vmprotect

Malware Config

Extracted

Family

redline

Botnet

Vukong

C2

15.235.171.56:30730

Attributes

auth_value
95768fca932e7c21a4454b0991c3ef32

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

4

C2

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

C2

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Wallets

3d124531384b43d082e5cf79f6b2096a

Targets

- Target
  
  3e3cae5883fb1aa3b277cdc2f030267828f9635830d77208a7bed268e3291bea
- Size
  
  5.9MB
- MD5
  
  dff18091ee3be9ef3f0858bfd3f8f556
- SHA1
  
  ed75001a1a9751cbb1cd782feae9aad2f959a910
- SHA256
  
  3e3cae5883fb1aa3b277cdc2f030267828f9635830d77208a7bed268e3291bea
- SHA512
  
  0005d30043d8a3d6d14801749ed5a021aaf1c24e436613d65ec0939376fa59d74cc58d58c6067a46eb700bb811d1eaed95c56891c0ac7bb5da2d561e20987d92
Score

10^/10

redline vukong discovery infostealer spyware stealer eternity 4 @tag12312341 nam3 collection persistence vmprotect
- Detects Eternity stealer
  stealer
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2