Malware Analysis Report

2025-06-16 03:47

Sample ID 220830-ag7t5aghgp
Target f8afeeab30c1ef52199dfabc7be6d4c6.exe
SHA256 537967a4ff0594af46c09bf023eb4964af5a9bf2ef902acc2000e53addeba193
Tags
eternity raccoon redline ea6e085210142782ca765e8e63fe811d discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

537967a4ff0594af46c09bf023eb4964af5a9bf2ef902acc2000e53addeba193

Threat Level: Known bad

The file f8afeeab30c1ef52199dfabc7be6d4c6.exe was found to be: Known bad.

Malicious Activity Summary

eternity raccoon redline ea6e085210142782ca765e8e63fe811d discovery infostealer spyware stealer

Eternity

RedLine

Eternity family

Raccoon

RedLine payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-30 00:12

Signatures

Eternity family

eternity

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-30 00:12

Reported

2022-08-30 00:14

Platform

win10v2004-20220812-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe"

Signatures

Eternity

eternity

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8999.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8999.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8999.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe

"C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe"

C:\Users\Admin\AppData\Local\Temp\8999.exe

"C:\Users\Admin\AppData\Local\Temp\8999.exe"

C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe

"C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe"

Network

Country Destination Domain Proto
NL 95.101.78.106:80 tcp
US 93.184.220.29:80 tcp
US 206.188.196.200:80 206.188.196.200 tcp
RU 78.24.216.5:42717 tcp
NL 20.190.160.22:443 tcp
NL 20.190.160.22:443 tcp
US 20.44.10.122:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp

Files

memory/736-132-0x0000000000670000-0x00000000006A2000-memory.dmp

memory/736-133-0x0000000005500000-0x0000000005AA4000-memory.dmp

memory/2544-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8999.exe

MD5 46c9e711e372e5400396c316aee84ef2
SHA1 87d69acf7d1aa5c14d589f2675b762d31df4f045
SHA256 649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278
SHA512 b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88

C:\Users\Admin\AppData\Local\Temp\8999.exe

MD5 46c9e711e372e5400396c316aee84ef2
SHA1 87d69acf7d1aa5c14d589f2675b762d31df4f045
SHA256 649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278
SHA512 b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88

memory/2544-137-0x0000000000C70000-0x0000000000C90000-memory.dmp

memory/2544-138-0x0000000005B60000-0x0000000006178000-memory.dmp

memory/2544-139-0x0000000005600000-0x0000000005612000-memory.dmp

memory/2544-140-0x0000000005730000-0x000000000583A000-memory.dmp

memory/1132-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe

MD5 b167ba266d25d54ae5d7a85b6d30309e
SHA1 1e2e2c9934a6276529b39c784597026ffb2336b8
SHA256 595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2
SHA512 3b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370

C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe

MD5 b167ba266d25d54ae5d7a85b6d30309e
SHA1 1e2e2c9934a6276529b39c784597026ffb2336b8
SHA256 595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2
SHA512 3b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370

memory/2544-144-0x0000000005660000-0x000000000569C000-memory.dmp

memory/2544-145-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/2544-146-0x0000000006570000-0x0000000006602000-memory.dmp

memory/2544-147-0x0000000006610000-0x0000000006686000-memory.dmp

memory/2544-148-0x0000000006710000-0x000000000672E000-memory.dmp

memory/2544-149-0x00000000072B0000-0x0000000007472000-memory.dmp

memory/2544-150-0x00000000079B0000-0x0000000007EDC000-memory.dmp

memory/2544-151-0x0000000007250000-0x00000000072A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-30 00:12

Reported

2022-08-30 00:14

Platform

win7-20220812-en

Max time kernel

44s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe"

Signatures

Eternity

eternity

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8999.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8999.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8999.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe

"C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe"

C:\Users\Admin\AppData\Local\Temp\8999.exe

"C:\Users\Admin\AppData\Local\Temp\8999.exe"

C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe

"C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe"

Network

Country Destination Domain Proto
RU 78.24.216.5:42717 tcp
US 206.188.196.200:80 206.188.196.200 tcp

Files

memory/832-54-0x0000000001030000-0x0000000001062000-memory.dmp

memory/832-55-0x0000000075921000-0x0000000075923000-memory.dmp

\Users\Admin\AppData\Local\Temp\8999.exe

MD5 46c9e711e372e5400396c316aee84ef2
SHA1 87d69acf7d1aa5c14d589f2675b762d31df4f045
SHA256 649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278
SHA512 b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88

C:\Users\Admin\AppData\Local\Temp\8999.exe

MD5 46c9e711e372e5400396c316aee84ef2
SHA1 87d69acf7d1aa5c14d589f2675b762d31df4f045
SHA256 649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278
SHA512 b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88

memory/1708-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8999.exe

MD5 46c9e711e372e5400396c316aee84ef2
SHA1 87d69acf7d1aa5c14d589f2675b762d31df4f045
SHA256 649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278
SHA512 b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88

memory/1708-60-0x0000000000DD0000-0x0000000000DF0000-memory.dmp

\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe

MD5 b167ba266d25d54ae5d7a85b6d30309e
SHA1 1e2e2c9934a6276529b39c784597026ffb2336b8
SHA256 595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2
SHA512 3b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370

\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe

MD5 b167ba266d25d54ae5d7a85b6d30309e
SHA1 1e2e2c9934a6276529b39c784597026ffb2336b8
SHA256 595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2
SHA512 3b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370

C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe

MD5 b167ba266d25d54ae5d7a85b6d30309e
SHA1 1e2e2c9934a6276529b39c784597026ffb2336b8
SHA256 595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2
SHA512 3b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370

memory/1704-64-0x0000000000000000-mapping.dmp