eternity | 259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9

Analysis

max time kernel
99s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2023, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
Size

1.4MB
MD5

4f201081c84cff8d1da121e9bd663081
SHA1

c58a44b848ad53c371ea6064ab9e84d12a8c040d
SHA256

259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9
SHA512

06169913f1ff763abf0d6c5de48ee2c4275f495f0c36ab839e09883d7770b4bee03e851f124018f7d2cc9cfb41e3e513e43465f2a079b5bc78622e677c453b2e
SSDEEP

24576:u3cyHN7H5jj7nr5SRmKyIFH2CZCT/xDQv5tBhqfDVGNClrbI54Bj:wc0Rlj74Mc2I5zEtJbg4Bj

Score

10^/10

eternity rhadamanthys clipper stealer

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Wallets

46hRZV3wiYgYb9Sw6V9VmSKZbS8pTTaMfQ4yFam5VRTz47JXvvBukjj8Sr4i8DbxQojNRPZFWE2avCbHnrRnD5XeSK8aiu9

qp5699zfqyull2vfavarsd8mm5rkj0affg78fpwhhz

0xF75989D7E17A4BE89F32a1A23B896255426c45F1

D8RGnqQXbCxksTbkaeryo9xrxk5XUKkgvn

THQTA24ugkbVrs9ynrm7mSpBnVsUHXGY6T

LTDcx7wGM2b1YWSjVpciA9mv36xe2Kz71P

rJh4ZTmLABknoDaz3uaj3mCiZDT6oG2pPB

t1SSSZD9z9hr3oyzZu5fk9MKDWZb3xZksbh

Xbz69HkR72FBEND7Mpu2Ep9wEziNxjqttx

Acwj1Km3Fu388MsR9CXbK4ojotzLT3bbP6

GDZ7JF6VZK7TCS43YTLK53SX6FORENV2LSRVURO5N225CLZHQHUQYLYZ

98FgZZenUxabTrQ7d7Rq4hPHACqRXLq7Ukfp2Ui6L3oj

O3G6DCADGJZI32IYSACT4DRZBZSQBLKSVSDXSIDQ3SI3UNJ2FU63ELYNRQ

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

resource	yara_rule
behavioral1/memory/4464-157-0x0000000000C00000-0x0000000000C1C000-memory.dmp	family_rhadamanthys
behavioral1/memory/4464-161-0x0000000000C00000-0x0000000000C1C000-memory.dmp	family_rhadamanthys

Detects Eternity clipper 1 IoCs

clipper

resource	yara_rule
behavioral1/memory/4980-138-0x0000000000400000-0x0000000000410000-memory.dmp	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4896 created 2888	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	52

Executes dropped EXE 3 IoCs

pid	Process
216	ngentask.exe
4704	ngentask.exe
2456	ngentask.exe

Loads dropped DLL 1 IoCs

pid	Process
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4464	fontview.exe
4464	fontview.exe
4464	fontview.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4896 set thread context of 4980	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	82

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2448	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1784	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4464	fontview.exe
Token: SeCreatePagefilePrivilege	4464	fontview.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4980	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	82
PID 4896 wrote to memory of 4980	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	82
PID 4896 wrote to memory of 4980	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	82
PID 4896 wrote to memory of 4980	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	82
PID 4896 wrote to memory of 4980	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	82
PID 4896 wrote to memory of 4464	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	83
PID 4896 wrote to memory of 4464	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	83
PID 4896 wrote to memory of 4464	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	83
PID 4896 wrote to memory of 4464	4896	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	83
PID 4980 wrote to memory of 2608	4980	ngentask.exe	84
PID 4980 wrote to memory of 2608	4980	ngentask.exe	84
PID 4980 wrote to memory of 2608	4980	ngentask.exe	84
PID 2608 wrote to memory of 2088	2608	cmd.exe	86
PID 2608 wrote to memory of 2088	2608	cmd.exe	86
PID 2608 wrote to memory of 2088	2608	cmd.exe	86
PID 2608 wrote to memory of 1784	2608	cmd.exe	87
PID 2608 wrote to memory of 1784	2608	cmd.exe	87
PID 2608 wrote to memory of 1784	2608	cmd.exe	87
PID 2608 wrote to memory of 2448	2608	cmd.exe	91
PID 2608 wrote to memory of 2448	2608	cmd.exe	91
PID 2608 wrote to memory of 2448	2608	cmd.exe	91
PID 2608 wrote to memory of 216	2608	cmd.exe	92
PID 2608 wrote to memory of 216	2608	cmd.exe	92
PID 2608 wrote to memory of 216	2608	cmd.exe	92

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2888
- C:\Windows\SysWOW64\fontview.exe
  "C:\Windows\SYSWOW64\fontview.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4464

C:\Users\Admin\AppData\Local\Temp\259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
"C:\Users\Admin\AppData\Local\Temp\259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1784
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2448
  - - C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"
      4⤵
      Executes dropped EXE
      PID:216

C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
1⤵
- Executes dropped EXE
PID:2456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ngentask.exe.log

Filesize
321B

MD5
08027eeee0542c93662aef98d70095e4

SHA1
42402c02bf4763fcd6fb0650fc13386f2eae8f9b

SHA256
1b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d

SHA512
c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe

Filesize
85KB

MD5
c6ce045ca7809169a017f73d45c21462

SHA1
7d2504133d8235e91c2e98355c4f223cdf500d4d

SHA256
41019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6

SHA512
cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe

Filesize
85KB

MD5
c6ce045ca7809169a017f73d45c21462

SHA1
7d2504133d8235e91c2e98355c4f223cdf500d4d

SHA256
41019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6

SHA512
cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe

Filesize
85KB

MD5
c6ce045ca7809169a017f73d45c21462

SHA1
7d2504133d8235e91c2e98355c4f223cdf500d4d

SHA256
41019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6

SHA512
cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe

Filesize
85KB

MD5
c6ce045ca7809169a017f73d45c21462

SHA1
7d2504133d8235e91c2e98355c4f223cdf500d4d

SHA256
41019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6

SHA512
cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205

Download Submit
C:\Users\Admin\AppData\Local\Temp\240558906.dll

Filesize
334KB

MD5
8596736c157f4e9d597e640b5fd272c2

SHA1
52c13d50177761027cf834200909cb8871e2bfc0

SHA256
7788d59ce9a3935ac67aadd1d6da93feb8a6c2c4ee8b53fba51b93a8f42b3a7a

SHA512
ceb67ced3657617fbe6485642e92c44e672fc39f4c1770a92323bccee636aebeea3b788b9297787db1bb0945e194f2aa245e7f02743207577eca160488ca7d37

Download Submit
memory/216-152-0x0000000000D70000-0x0000000000D88000-memory.dmp

Filesize
96KB

Download
memory/4464-155-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/4464-161-0x0000000000C00000-0x0000000000C1C000-memory.dmp

Filesize
112KB

Download
memory/4464-160-0x0000000000708000-0x0000000000722000-memory.dmp

Filesize
104KB

Download
memory/4464-140-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/4464-159-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/4464-158-0x0000000002300000-0x0000000003300000-memory.dmp

Filesize
16.0MB

Download
memory/4464-157-0x0000000000C00000-0x0000000000C1C000-memory.dmp

Filesize
112KB

Download
memory/4464-156-0x0000000000708000-0x0000000000722000-memory.dmp

Filesize
104KB

Download
memory/4464-143-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/4896-154-0x000000000FAE0000-0x000000000FBA3000-memory.dmp

Filesize
780KB

Download
memory/4896-153-0x0000000002E4E000-0x0000000002F89000-memory.dmp

Filesize
1.2MB

Download
memory/4896-132-0x000000000FAE0000-0x000000000FBA3000-memory.dmp

Filesize
780KB

Download
memory/4896-162-0x0000000002E4E000-0x0000000002F89000-memory.dmp

Filesize
1.2MB

Download
memory/4896-134-0x000000000FAE0000-0x000000000FBA3000-memory.dmp

Filesize
780KB

Download
memory/4896-133-0x0000000002E4E000-0x0000000002F89000-memory.dmp

Filesize
1.2MB

Download
memory/4980-136-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4980-138-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4980-142-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download