eternity | 839afac62aa1ba9eb4bf3b17d3877ba66e0857f45ccbbd12eefb940f6855ac09 | Triage

Sharing

General

Target

f4a68987e0ef243fa1e9bfe07c643052
Size

203KB
Sample

230112-r25c6sgc74
MD5

f4a68987e0ef243fa1e9bfe07c643052
SHA1

872a9c456fcd0bedfe43c45be1e496b8947d3247
SHA256

839afac62aa1ba9eb4bf3b17d3877ba66e0857f45ccbbd12eefb940f6855ac09
SHA512

ea1b107e837bf1d22e5766ef8f0f6d9d5095787156912cf40c578bd9f600022b7660a14e0ba2d164a1b60fcc0a1f5dba7cde8ba109b7c878d7d0419520908ef3
SSDEEP

3072:G3UhZ86ZSJgWPcOWAvJ341j+EzKs4orHNV+Y:GEkAS6oAyEzK/y+

Score

10^/10

eternity collection evasion spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://direct-trojan.com/file/bff3da/FEFE.exe

Extracted

Language

ps1

Source

URLs

exe.dropper

https://direct-trojan.com/file/63b3bb/UserOOBEBroker.exe

Extracted

Language

ps1

Source

URLs

exe.dropper

https://direct-trojan.com/file/8a0b4b/oopsi.exe

Targets

- Target
  
  f4a68987e0ef243fa1e9bfe07c643052
- Size
  
  203KB
- MD5
  
  f4a68987e0ef243fa1e9bfe07c643052
- SHA1
  
  872a9c456fcd0bedfe43c45be1e496b8947d3247
- SHA256
  
  839afac62aa1ba9eb4bf3b17d3877ba66e0857f45ccbbd12eefb940f6855ac09
- SHA512
  
  ea1b107e837bf1d22e5766ef8f0f6d9d5095787156912cf40c578bd9f600022b7660a14e0ba2d164a1b60fcc0a1f5dba7cde8ba109b7c878d7d0419520908ef3
- SSDEEP
  
  3072:G3UhZ86ZSJgWPcOWAvJ341j+EzKs4orHNV+Y:GEkAS6oAyEzK/y+
Score

10^/10

eternity collection evasion spyware stealer
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

eternitycollectionevasionspywarestealer