eternity | 259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9

Analysis

max time kernel
165s
max time network
181s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
24/02/2023, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
Size

1.4MB
MD5

4f201081c84cff8d1da121e9bd663081
SHA1

c58a44b848ad53c371ea6064ab9e84d12a8c040d
SHA256

259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9
SHA512

06169913f1ff763abf0d6c5de48ee2c4275f495f0c36ab839e09883d7770b4bee03e851f124018f7d2cc9cfb41e3e513e43465f2a079b5bc78622e677c453b2e
SSDEEP

24576:u3cyHN7H5jj7nr5SRmKyIFH2CZCT/xDQv5tBhqfDVGNClrbI54Bj:wc0Rlj74Mc2I5zEtJbg4Bj

Score

10^/10

eternity rhadamanthys clipper stealer

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Wallets

46hRZV3wiYgYb9Sw6V9VmSKZbS8pTTaMfQ4yFam5VRTz47JXvvBukjj8Sr4i8DbxQojNRPZFWE2avCbHnrRnD5XeSK8aiu9

qp5699zfqyull2vfavarsd8mm5rkj0affg78fpwhhz

0xF75989D7E17A4BE89F32a1A23B896255426c45F1

D8RGnqQXbCxksTbkaeryo9xrxk5XUKkgvn

THQTA24ugkbVrs9ynrm7mSpBnVsUHXGY6T

LTDcx7wGM2b1YWSjVpciA9mv36xe2Kz71P

rJh4ZTmLABknoDaz3uaj3mCiZDT6oG2pPB

t1SSSZD9z9hr3oyzZu5fk9MKDWZb3xZksbh

Xbz69HkR72FBEND7Mpu2Ep9wEziNxjqttx

Acwj1Km3Fu388MsR9CXbK4ojotzLT3bbP6

GDZ7JF6VZK7TCS43YTLK53SX6FORENV2LSRVURO5N225CLZHQHUQYLYZ

98FgZZenUxabTrQ7d7Rq4hPHACqRXLq7Ukfp2Ui6L3oj

O3G6DCADGJZI32IYSACT4DRZBZSQBLKSVSDXSIDQ3SI3UNJ2FU63ELYNRQ

Signatures

Detect rhadamanthys stealer shellcode 3 IoCs

resource	yara_rule
behavioral2/memory/2084-141-0x00000000036B0000-0x00000000036CC000-memory.dmp	family_rhadamanthys
behavioral2/memory/2084-156-0x00000000036B0000-0x00000000036CC000-memory.dmp	family_rhadamanthys
behavioral2/memory/2084-159-0x00000000036B0000-0x00000000036CC000-memory.dmp	family_rhadamanthys

Detects Eternity clipper 1 IoCs

clipper

resource	yara_rule
behavioral2/memory/4104-124-0x0000000000400000-0x0000000000410000-memory.dmp	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4192 created 2940	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	17

Executes dropped EXE 2 IoCs

pid	Process
3700	ngentask.exe
4544	ngentask.exe

Loads dropped DLL 1 IoCs

pid	Process
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2084	fontview.exe
2084	fontview.exe
2084	fontview.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4192 set thread context of 4104	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	66

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3824	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4976	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2084	fontview.exe
Token: SeCreatePagefilePrivilege	2084	fontview.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4104	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	66
PID 4192 wrote to memory of 4104	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	66
PID 4192 wrote to memory of 4104	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	66
PID 4192 wrote to memory of 4104	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	66
PID 4192 wrote to memory of 4104	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	66
PID 4192 wrote to memory of 2084	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	67
PID 4192 wrote to memory of 2084	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	67
PID 4192 wrote to memory of 2084	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	67
PID 4192 wrote to memory of 2084	4192	259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe	67
PID 4104 wrote to memory of 4908	4104	ngentask.exe	68
PID 4104 wrote to memory of 4908	4104	ngentask.exe	68
PID 4104 wrote to memory of 4908	4104	ngentask.exe	68
PID 4908 wrote to memory of 4948	4908	cmd.exe	70
PID 4908 wrote to memory of 4948	4908	cmd.exe	70
PID 4908 wrote to memory of 4948	4908	cmd.exe	70
PID 4908 wrote to memory of 4976	4908	cmd.exe	71
PID 4908 wrote to memory of 4976	4908	cmd.exe	71
PID 4908 wrote to memory of 4976	4908	cmd.exe	71
PID 4908 wrote to memory of 3824	4908	cmd.exe	72
PID 4908 wrote to memory of 3824	4908	cmd.exe	72
PID 4908 wrote to memory of 3824	4908	cmd.exe	72
PID 4908 wrote to memory of 3700	4908	cmd.exe	73
PID 4908 wrote to memory of 3700	4908	cmd.exe	73
PID 4908 wrote to memory of 3700	4908	cmd.exe	73

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2940
- C:\Windows\SYSWOW64\fontview.exe
  "C:\Windows\SYSWOW64\fontview.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2084

C:\Users\Admin\AppData\Local\Temp\259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe
"C:\Users\Admin\AppData\Local\Temp\259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4976
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3824
  - - C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"
      4⤵
      Executes dropped EXE
      PID:3700

C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
1⤵
- Executes dropped EXE
PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ngentask.exe.log

Filesize
321B

MD5
076d7c48064de4effadfe36d1857322d

SHA1
273f4d3f67c4ec0a637317ce2a536e52cc1c2090

SHA256
7cdcfb48cb249895caa7d3b5ce9ad53c7185d426f0f5669fe79bc5e047ff29ed

SHA512
e540c14a5093a1607dd47b0cdf96e21957d1b70aae24dcd99cdb3e3292451222760e8106b1e6e6091928b9998a6d307709e39081565a5e49d85c64e03bc55abf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe

Filesize
83KB

MD5
2b1b8bfedc62990b2aaad45c69d3ac15

SHA1
a18680596b4cefacab15429a3ebe7c863b35621c

SHA256
b228e6b850401f800e47d99f1633f97f3918f8706465fd289f68f79bcb6055f8

SHA512
010336212ffd6d87e821b9f9297dcccf7bf8ab633988909e0177384ab54890b73ae29a207945668ee3c34df3f1d1b0341347cd02df00baf5e312766dbc75f45f

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe

Filesize
83KB

MD5
2b1b8bfedc62990b2aaad45c69d3ac15

SHA1
a18680596b4cefacab15429a3ebe7c863b35621c

SHA256
b228e6b850401f800e47d99f1633f97f3918f8706465fd289f68f79bcb6055f8

SHA512
010336212ffd6d87e821b9f9297dcccf7bf8ab633988909e0177384ab54890b73ae29a207945668ee3c34df3f1d1b0341347cd02df00baf5e312766dbc75f45f

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe

Filesize
83KB

MD5
2b1b8bfedc62990b2aaad45c69d3ac15

SHA1
a18680596b4cefacab15429a3ebe7c863b35621c

SHA256
b228e6b850401f800e47d99f1633f97f3918f8706465fd289f68f79bcb6055f8

SHA512
010336212ffd6d87e821b9f9297dcccf7bf8ab633988909e0177384ab54890b73ae29a207945668ee3c34df3f1d1b0341347cd02df00baf5e312766dbc75f45f

Download Submit
\Users\Admin\AppData\Local\Temp\240543703.dll

Filesize
334KB

MD5
8596736c157f4e9d597e640b5fd272c2

SHA1
52c13d50177761027cf834200909cb8871e2bfc0

SHA256
7788d59ce9a3935ac67aadd1d6da93feb8a6c2c4ee8b53fba51b93a8f42b3a7a

SHA512
ceb67ced3657617fbe6485642e92c44e672fc39f4c1770a92323bccee636aebeea3b788b9297787db1bb0945e194f2aa245e7f02743207577eca160488ca7d37

Download Submit
memory/2084-157-0x0000000003690000-0x0000000003692000-memory.dmp

Filesize
8KB

Download
memory/2084-130-0x0000000003250000-0x0000000003283000-memory.dmp

Filesize
204KB

Download
memory/2084-141-0x00000000036B0000-0x00000000036CC000-memory.dmp

Filesize
112KB

Download
memory/2084-156-0x00000000036B0000-0x00000000036CC000-memory.dmp

Filesize
112KB

Download
memory/2084-158-0x0000000003690000-0x0000000003693000-memory.dmp

Filesize
12KB

Download
memory/2084-160-0x0000000003250000-0x0000000003283000-memory.dmp

Filesize
204KB

Download
memory/2084-159-0x00000000036B0000-0x00000000036CC000-memory.dmp

Filesize
112KB

Download
memory/3700-139-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/4104-129-0x0000000005F20000-0x000000000641E000-memory.dmp

Filesize
5.0MB

Download
memory/4104-124-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4104-122-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4192-121-0x000000000F850000-0x000000000F913000-memory.dmp

Filesize
780KB

Download