General

  • Target

    Stealer.exe

  • Size

    334KB

  • Sample

    221125-zhkhnadh53

  • MD5

    a1b1198e4e7a92dc4e824fc8abdd14c9

  • SHA1

    e03727a30b4e5e043bf0dfb8ddf084d68011a1cc

  • SHA256

    1b91ef72cec2de0aed0ae5d633abb555adb9951e4fa804f1cdce4ebe6262e3c9

  • SHA512

    f6559dfa3565ed93df7ac32193843c75af72416fbcee7a3adceac57d0afc5840efde7524e38bb060fc72d2ec1b74aefe455f2a39cffecf65277cae25be27fb27

  • SSDEEP

    6144:ScTjiHG92/tSAkCTOmhwJJmTCyMKXMlvWjgPAbX2Yi:ScHPYVK8myal5

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Targets

    • Target

      Stealer.exe

    • Size

      334KB

    • MD5

      a1b1198e4e7a92dc4e824fc8abdd14c9

    • SHA1

      e03727a30b4e5e043bf0dfb8ddf084d68011a1cc

    • SHA256

      1b91ef72cec2de0aed0ae5d633abb555adb9951e4fa804f1cdce4ebe6262e3c9

    • SHA512

      f6559dfa3565ed93df7ac32193843c75af72416fbcee7a3adceac57d0afc5840efde7524e38bb060fc72d2ec1b74aefe455f2a39cffecf65277cae25be27fb27

    • SSDEEP

      6144:ScTjiHG92/tSAkCTOmhwJJmTCyMKXMlvWjgPAbX2Yi:ScHPYVK8myal5

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Tasks