General

  • Target

    cryp.exe

  • Size

    7KB

  • Sample

    220910-edgwradccm

  • MD5

    a1f047d0fedbc2e3f5761e55231ac017

  • SHA1

    90471b46e6b176a9bc707f503f73453c15c6d214

  • SHA256

    8b0ea57ade5bfaed72798a9363c572da765e6014d5baeb667f4804525ae851bd

  • SHA512

    16ed0cbac2229c541896403803f8ada8a48cba8c982c29d2fcd208ce7128710997cb0ea22ca1197f409bb9a2b38dc68c1baf7db6593d38f7a88a98589f92ac83

  • SSDEEP

    96:34I2unjKp7Y5DkYoCYNiESNfWNsn8WEmO8qQuD1oCbyRTq8Q4tX32hWN3QU:34Mup7iDkYDxNeNejEmO8q7xlbuTXfY

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Targets

    • Target

      cryp.exe

    • Size

      7KB

    • MD5

      a1f047d0fedbc2e3f5761e55231ac017

    • SHA1

      90471b46e6b176a9bc707f503f73453c15c6d214

    • SHA256

      8b0ea57ade5bfaed72798a9363c572da765e6014d5baeb667f4804525ae851bd

    • SHA512

      16ed0cbac2229c541896403803f8ada8a48cba8c982c29d2fcd208ce7128710997cb0ea22ca1197f409bb9a2b38dc68c1baf7db6593d38f7a88a98589f92ac83

    • SSDEEP

      96:34I2unjKp7Y5DkYoCYNiESNfWNsn8WEmO8qQuD1oCbyRTq8Q4tX32hWN3QU:34Mup7iDkYDxNeNejEmO8q7xlbuTXfY

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks