General
-
Target
1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc
-
Size
231KB
-
Sample
221113-wexf9sfc71
-
MD5
d2d53693ba630167f3d1689defd2277a
-
SHA1
e652a4df2934ef3187d7e62450b732ba9d35fdf6
-
SHA256
1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc
-
SHA512
bb015c508c2462fd2c563893961fa598ffe7b1c67bc587d013b1681fd5d77e8253995e08f9cdf34c0a21ea1e238f5c5091c20ac979c5c95e704728b16913d413
-
SSDEEP
6144:AWgLu75uLPm/xUzXpxpbcpLFWS/nU8VIfsLknImS9:AWgiFgPm/xUNx4LNs8afk3X
Static task
static1
Behavioral task
behavioral1
Sample
1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Extracted
raccoon
dbffbdbc9786a5c270e6dd2d647e18ea
http://79.137.205.87/
Targets
-
-
Target
1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc
-
Size
231KB
-
MD5
d2d53693ba630167f3d1689defd2277a
-
SHA1
e652a4df2934ef3187d7e62450b732ba9d35fdf6
-
SHA256
1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc
-
SHA512
bb015c508c2462fd2c563893961fa598ffe7b1c67bc587d013b1681fd5d77e8253995e08f9cdf34c0a21ea1e238f5c5091c20ac979c5c95e704728b16913d413
-
SSDEEP
6144:AWgLu75uLPm/xUzXpxpbcpLFWS/nU8VIfsLknImS9:AWgiFgPm/xUNx4LNs8afk3X
-
Detect Amadey credential stealer module
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-