eternity

General

Target

7e5ac608a4ec5f63728bde143133a525.exe
Size

238KB
Sample

221106-vmd48aeffl
MD5

7e5ac608a4ec5f63728bde143133a525
SHA1

05cc0e3d3ceebdc51d50508577d6d79654808dc8
SHA256

cbeed457f794b1a07a8ec5e004285568a8ca27711fdd9389361458d47a36f593
SHA512

7ffd15de0598ba900bbe26d684eaeac94753bac78df6c8cd3bafedbbb943a7b5a5cd212fc8286b5c6771b5c79095c5a1b3a39d8992ebe05017cd33aad6ccf951
SSDEEP

6144:FXdcjOzeb/gCrb8vefFq2LhVAOv84Ctdx8o:FOjOzebY4hVzCrao

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes

auth_value
fbee175162920530e6bf470c8003fa1a

Extracted

Family

redline

C2

45.15.156.52:45

Attributes

auth_value
19cd76dae6d01d9649fd29624fa61e51

Extracted

Family

remcos

Botnet

New

C2

173.212.217.108:1050

zab4ever.no-ip.org:1050

1zab4ever.no-ip.org:1050

1zab4ever.duckdns.org:1050

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
BrowseUpdt.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
nobita.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
khruioprs-T021C4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
BrowseUpdt
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Targets

- Target
  
  7e5ac608a4ec5f63728bde143133a525.exe
- Size
  
  238KB
- MD5
  
  7e5ac608a4ec5f63728bde143133a525
- SHA1
  
  05cc0e3d3ceebdc51d50508577d6d79654808dc8
- SHA256
  
  cbeed457f794b1a07a8ec5e004285568a8ca27711fdd9389361458d47a36f593
- SHA512
  
  7ffd15de0598ba900bbe26d684eaeac94753bac78df6c8cd3bafedbbb943a7b5a5cd212fc8286b5c6771b5c79095c5a1b3a39d8992ebe05017cd33aad6ccf951
- SSDEEP
  
  6144:FXdcjOzeb/gCrb8vefFq2LhVAOv84Ctdx8o:FOjOzebY4hVzCrao
Score

10^/10

smokeloader backdoor trojan eternity redline remcos @redlinevip cloud (tg: @fatherofcarders)new collection discovery infostealer persistence rat spyware stealer
- Detects Smokeloader packer
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2