eternity | 2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

General

Target

file.exe
Size

10.0MB
MD5

71438bae518e4e312e1f6617ee0b268b
SHA1

744f042e3b251786d7d15c960b93d7da83f75773
SHA256

2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8
SHA512

6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf
SSDEEP

24576:LvtObzeG41/7E6E9h1hqmS10mSVBojjIY+SzsS:hOWVpX8V+48zsS

Score

10^/10

eternity clipper

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Wallets

41r3LwMnez561bPJdamkzFfVoUJhmJQjHXSGz2e1Cb8xBCgvvSN36REatA7Ayn2GubDXyE2SQsar4LJDTAr8DnwPSmViy7o

1NSf3HSaEVJQv82Wg1Dxwrq8vksbXk1Uz9

0x5296E7a3aBa03B60e9ab2fF31Bc4Bda5C4306E70

D8JaQ1S56v9q1PYvgiMSiJKcpr62rzNmPP

TGPdhxdT1AdFBy9ojeACoPDhGG9BJsDRcG

t1V7NEnYmdnGVMFE7nLmW9r1DxnvBdZEcuu

XpTXPMSoGXwsHWs1h9fnUTDo2HfJbXyzqk

Signatures

Detects Eternity clipper 14 IoCs

clipper

Processes:

resource	yara_rule
behavioral1/memory/360-59-0x0000000000400000-0x0000000000410000-memory.dmp	eternity_clipper
behavioral1/memory/360-60-0x0000000000400000-0x0000000000410000-memory.dmp	eternity_clipper
behavioral1/memory/360-61-0x0000000000400000-0x0000000000410000-memory.dmp	eternity_clipper
behavioral1/memory/360-62-0x000000000040B0DE-mapping.dmp	eternity_clipper
behavioral1/memory/360-64-0x0000000000400000-0x0000000000410000-memory.dmp	eternity_clipper
behavioral1/memory/360-66-0x0000000000400000-0x0000000000410000-memory.dmp	eternity_clipper
behavioral1/memory/884-83-0x000000000040B0DE-mapping.dmp	eternity_clipper
behavioral1/memory/884-86-0x0000000000400000-0x0000000000410000-memory.dmp	eternity_clipper
behavioral1/memory/884-88-0x0000000000400000-0x0000000000410000-memory.dmp	eternity_clipper
behavioral1/memory/944-98-0x000000000040B0DE-mapping.dmp	eternity_clipper
behavioral1/memory/1452-112-0x000000000040B0DE-mapping.dmp	eternity_clipper
behavioral1/memory/1452-115-0x0000000000080000-0x0000000000090000-memory.dmp	eternity_clipper
behavioral1/memory/1452-119-0x0000000000080000-0x0000000000090000-memory.dmp	eternity_clipper
behavioral1/memory/1452-122-0x0000000000080000-0x0000000000090000-memory.dmp	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 6 IoCs

Processes:

file.exefile.exefile.exefile.exefile.exefile.exe

pid process

1648 file.exe
884 file.exe
1712 file.exe
944 file.exe
1644 file.exe
1452 file.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1904 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1904 cmd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

pid	process
1648	file.exe
884	file.exe
1712	file.exe
944	file.exe
1644	file.exe
1452	file.exe

pid	process
1904	cmd.exe

pid	process
1904	cmd.exe

flow	ioc
3	ip-api.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

file.exefile.exefile.exefile.exe

description	pid	process	target process
PID 1708 set thread context of 360	1708	file.exe	file.exe
PID 1648 set thread context of 884	1648	file.exe	file.exe
PID 1712 set thread context of 944	1712	file.exe	file.exe
PID 1644 set thread context of 1452	1644	file.exe	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1528 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1480 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

file.exe

pid process

884 file.exe

pid	process
1528	schtasks.exe

pid	process
1480	PING.EXE

pid	process
884	file.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

file.exefile.exefile.exefile.exefile.exe

description	pid	process
Token: SeDebugPrivilege	1708	file.exe
Token: SeDebugPrivilege	1648	file.exe
Token: SeDebugPrivilege	884	file.exe
Token: SeDebugPrivilege	1712	file.exe
Token: SeDebugPrivilege	1644	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exefile.execmd.exefile.exetaskeng.exefile.exefile.exe

description	pid	process	target process
PID 1708 wrote to memory of 360	1708	file.exe	file.exe
PID 1708 wrote to memory of 360	1708	file.exe	file.exe
PID 1708 wrote to memory of 360	1708	file.exe	file.exe
PID 1708 wrote to memory of 360	1708	file.exe	file.exe
PID 1708 wrote to memory of 360	1708	file.exe	file.exe
PID 1708 wrote to memory of 360	1708	file.exe	file.exe
PID 1708 wrote to memory of 360	1708	file.exe	file.exe
PID 1708 wrote to memory of 360	1708	file.exe	file.exe
PID 1708 wrote to memory of 360	1708	file.exe	file.exe
PID 360 wrote to memory of 1904	360	file.exe	cmd.exe
PID 360 wrote to memory of 1904	360	file.exe	cmd.exe
PID 360 wrote to memory of 1904	360	file.exe	cmd.exe
PID 360 wrote to memory of 1904	360	file.exe	cmd.exe
PID 1904 wrote to memory of 1808	1904	cmd.exe	chcp.com
PID 1904 wrote to memory of 1808	1904	cmd.exe	chcp.com
PID 1904 wrote to memory of 1808	1904	cmd.exe	chcp.com
PID 1904 wrote to memory of 1808	1904	cmd.exe	chcp.com
PID 1904 wrote to memory of 1480	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 1480	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 1480	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 1480	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 1528	1904	cmd.exe	schtasks.exe
PID 1904 wrote to memory of 1528	1904	cmd.exe	schtasks.exe
PID 1904 wrote to memory of 1528	1904	cmd.exe	schtasks.exe
PID 1904 wrote to memory of 1528	1904	cmd.exe	schtasks.exe
PID 1904 wrote to memory of 1648	1904	cmd.exe	file.exe
PID 1904 wrote to memory of 1648	1904	cmd.exe	file.exe
PID 1904 wrote to memory of 1648	1904	cmd.exe	file.exe
PID 1904 wrote to memory of 1648	1904	cmd.exe	file.exe
PID 1648 wrote to memory of 884	1648	file.exe	file.exe
PID 1648 wrote to memory of 884	1648	file.exe	file.exe
PID 1648 wrote to memory of 884	1648	file.exe	file.exe
PID 1648 wrote to memory of 884	1648	file.exe	file.exe
PID 1648 wrote to memory of 884	1648	file.exe	file.exe
PID 1648 wrote to memory of 884	1648	file.exe	file.exe
PID 1648 wrote to memory of 884	1648	file.exe	file.exe
PID 1648 wrote to memory of 884	1648	file.exe	file.exe
PID 1648 wrote to memory of 884	1648	file.exe	file.exe
PID 860 wrote to memory of 1712	860	taskeng.exe	file.exe
PID 860 wrote to memory of 1712	860	taskeng.exe	file.exe
PID 860 wrote to memory of 1712	860	taskeng.exe	file.exe
PID 860 wrote to memory of 1712	860	taskeng.exe	file.exe
PID 1712 wrote to memory of 944	1712	file.exe	file.exe
PID 1712 wrote to memory of 944	1712	file.exe	file.exe
PID 1712 wrote to memory of 944	1712	file.exe	file.exe
PID 1712 wrote to memory of 944	1712	file.exe	file.exe
PID 1712 wrote to memory of 944	1712	file.exe	file.exe
PID 1712 wrote to memory of 944	1712	file.exe	file.exe
PID 1712 wrote to memory of 944	1712	file.exe	file.exe
PID 1712 wrote to memory of 944	1712	file.exe	file.exe
PID 1712 wrote to memory of 944	1712	file.exe	file.exe
PID 860 wrote to memory of 1644	860	taskeng.exe	file.exe
PID 860 wrote to memory of 1644	860	taskeng.exe	file.exe
PID 860 wrote to memory of 1644	860	taskeng.exe	file.exe
PID 860 wrote to memory of 1644	860	taskeng.exe	file.exe
PID 1644 wrote to memory of 1452	1644	file.exe	file.exe
PID 1644 wrote to memory of 1452	1644	file.exe	file.exe
PID 1644 wrote to memory of 1452	1644	file.exe	file.exe
PID 1644 wrote to memory of 1452	1644	file.exe	file.exe
PID 1644 wrote to memory of 1452	1644	file.exe	file.exe
PID 1644 wrote to memory of 1452	1644	file.exe	file.exe
PID 1644 wrote to memory of 1452	1644	file.exe	file.exe
PID 1644 wrote to memory of 1452	1644	file.exe	file.exe
PID 1644 wrote to memory of 1452	1644	file.exe	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\file.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1808

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:1480

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1528

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\taskeng.exe
taskeng.exe {4FFFA0EF-6135-40C0-A35E-37353B870432} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
3⤵
- Executes dropped EXE
PID:944

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
3⤵
- Executes dropped EXE
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
memory/360-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/360-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/360-67-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/360-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/360-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/360-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/360-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/360-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/360-62-0x000000000040B0DE-mapping.dmp

Download
memory/884-88-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/884-83-0x000000000040B0DE-mapping.dmp

Download
memory/884-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/944-98-0x000000000040B0DE-mapping.dmp

Download
memory/1452-112-0x000000000040B0DE-mapping.dmp

Download
memory/1452-119-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1452-122-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1452-115-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1480-70-0x0000000000000000-mapping.dmp

Download
memory/1528-71-0x0000000000000000-mapping.dmp

Download
memory/1644-104-0x0000000000000000-mapping.dmp

Download
memory/1648-74-0x0000000000000000-mapping.dmp

Download
memory/1648-76-0x0000000001240000-0x0000000001C40000-memory.dmp

Filesize
10.0MB

Download
memory/1708-54-0x0000000000920000-0x0000000001320000-memory.dmp

Filesize
10.0MB

Download
memory/1708-55-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/1712-90-0x0000000000000000-mapping.dmp

Download
memory/1808-69-0x0000000000000000-mapping.dmp

Download
memory/1904-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads