Overview

overview

10

Static

static

SecuriteIn...74.exe

windows7-x64

10

SecuriteIn...74.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.7160.17774.exe

  • Size

    2.2MB

  • Sample

    221207-v25wgsaf2z

  • MD5

    0554b46bf73fb47e87b55075480adf7a

  • SHA1

    f5aea523b886a4bc1d75dccd59e2d3f2774ed424

  • SHA256

    9d9e2e1472289d61a36488a0cd67a07e8dc5f7169b5d7719479610c38e070d40

  • SHA512

    67839eb74c64d586fb172b63e2790b1a0a1b4d94333fcd63538b26da6a69ef0554ebbccc09d63f684814148a5773f410756325e12381109b5eb67fb80bda1055

  • SSDEEP

    49152:NwY07xsRQE85N8JXV+WGdudssTWL79ievKtOopjAP6CXRAy380GNByQr8:ND07xRE8v+UWzsAQ9ievKt7pkhxsH6Qg

Score
10/10
eternitycollectionpersistencespywarestealer

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Targets

    • Target

      SecuriteInfo.com.Win32.PWSX-gen.7160.17774.exe

    • Size

      2.2MB

    • MD5

      0554b46bf73fb47e87b55075480adf7a

    • SHA1

      f5aea523b886a4bc1d75dccd59e2d3f2774ed424

    • SHA256

      9d9e2e1472289d61a36488a0cd67a07e8dc5f7169b5d7719479610c38e070d40

    • SHA512

      67839eb74c64d586fb172b63e2790b1a0a1b4d94333fcd63538b26da6a69ef0554ebbccc09d63f684814148a5773f410756325e12381109b5eb67fb80bda1055

    • SSDEEP

      49152:NwY07xsRQE85N8JXV+WGdudssTWL79ievKtOopjAP6CXRAy380GNByQr8:ND07xRE8v+UWzsAQ9ievKt7pkhxsH6Qg

    Score
    10/10
    eternitycollectionpersistencespywarestealer

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks