eternity

General

Target

5903b4d5a7cbd5816d4a9128cb69570b.exe
Size

1.4MB
Sample

221109-x3scwsbec2
MD5

5903b4d5a7cbd5816d4a9128cb69570b
SHA1

2180d6f65a664f71c85762a3c4c5db7163b66c73
SHA256

e7f968d64655db242cdc6330cf399c3b5e635b63b2ba734d5e2c2eee5986e9be
SHA512

86b0b6c80562cfec59b73562ce37bc51cc49521f1e2feca728f172377c9f5b645e8e66dd99756c0aef86dfd1380d71ff2f51fd755839e6f3dcd5f063519a8b40
SSDEEP

24576:9jahaFL5GiByK/RMAs5WHi044+yO0VrVdvGUhdVlfNukuc5WEnzW/GC1eR9rmAzd:9+h2L5GiByK/+Azi04nyrVrnzblfkhgb

Score

10^/10

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
https://raroford3242.xyz/myupdate.exe
https://raroford3242.xyz/Sklmsstregens.vbs, https://raroford3242.xyz/remcexecrypt.exe, https://raroford3242.xyz/redlcryp.exe, https://raroford3242.xyz/racoocry.exe
https://raroford3242.xyz/myupdate.exe
https://raroford3242.xyz/myupdate.exe

Extracted

Family

remcos

Botnet

RemoteHost

C2

157.90.145.151:1441

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
onhyxlqy.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
gftlbusy-PLYPFW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

redline

C2

157.90.145.151:14075

Attributes

auth_value
197a8d2e248bee4495c3db7cbfdf6d3d

Targets

- Target
  
  5903b4d5a7cbd5816d4a9128cb69570b.exe
- Size
  
  1.4MB
- MD5
  
  5903b4d5a7cbd5816d4a9128cb69570b
- SHA1
  
  2180d6f65a664f71c85762a3c4c5db7163b66c73
- SHA256
  
  e7f968d64655db242cdc6330cf399c3b5e635b63b2ba734d5e2c2eee5986e9be
- SHA512
  
  86b0b6c80562cfec59b73562ce37bc51cc49521f1e2feca728f172377c9f5b645e8e66dd99756c0aef86dfd1380d71ff2f51fd755839e6f3dcd5f063519a8b40
- SSDEEP
  
  24576:9jahaFL5GiByK/RMAs5WHi044+yO0VrVdvGUhdVlfNukuc5WEnzW/GC1eR9rmAzd:9+h2L5GiByK/+Azi04nyrVrnzblfkhgb
Score

10^/10

eternity redline remcos remotehost infostealer rat spyware persistence
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2