eternity | 348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-08-2023 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe
Size

3.0MB
MD5

4dcc578f59fbcd01a367501fa1d4f42f
SHA1

d4586895aef6e108d6d7fd248f4d3daef151138c
SHA256

348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452
SHA512

996d0233cbaac937b24bb8c50dc99876656c9912401ece028e6d16f62d0b0b888c1808aad9ddf9fbb5aa86288c921f70dec402c960e4854b1dcbfb2d1b737ce0
SSDEEP

6144:29xMcYa+tnoCNsBEODVcTC6GJNS2zQiAkrOb8pgoc6vyNIfhoqBnbFgcWsM:2ccZ+JSPhomgcWD

Score

10^/10

eternity clipper

Malware Config

Extracted

Family

eternity

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Wallets

bc1qe7z6nlxlx27fgr6ytsat6hz5t3sl0nsdtmhamn

qr47e98jys35s5npdwt5mfeq0jlvvff5rc2lshtxp2

0x2433680E4f5faA462041cC17237A898c4eE178c5

0xdbCedAEF11817bad20b278eB28d3AfEDa4C63C54

DSGVHd7VFkL6WeuEgSwst8hQfJ1jCAeiSW

TWuMkEbgzUdTLSW1dHgKT5MhFk4Qc9yMKW

ltc1qkee6dw657yp3l3xls8f5q9tva0we3m0lahf4ht

rhfQuFy8Gse1FinEHxsgCxwonKuUnMr73U

t1XHKggRimUkPvjBvW2Aum4UudRhujhMQgn

XfZro7RFb7SdHPhoJh1aXhRouaGdg3wtPr

GALTQXW2QSOIENOE7SVJAQYTKSN7DJ4JFUITAIK3AD3QSW7EQKOSRZDT

bnb16fchdnr90kqp8g3ujperk7r5kkrg3xuystg82z

6A7E4DchBSBt9bQgmKDZ3AW7g5Pshsh6qu4GGQgkJYDz

Signatures

Detects Eternity clipper 13 IoCs

clipper

resource	yara_rule
behavioral1/memory/2504-59-0x0000000000400000-0x0000000000416000-memory.dmp	eternity_clipper
behavioral1/memory/2504-60-0x0000000000400000-0x0000000000416000-memory.dmp	eternity_clipper
behavioral1/memory/2504-62-0x0000000000400000-0x0000000000416000-memory.dmp	eternity_clipper
behavioral1/memory/2504-64-0x0000000000400000-0x0000000000416000-memory.dmp	eternity_clipper
behavioral1/memory/2504-66-0x0000000000400000-0x0000000000416000-memory.dmp	eternity_clipper
behavioral1/memory/620-94-0x00000000000D0000-0x00000000000E6000-memory.dmp	eternity_clipper
behavioral1/memory/620-90-0x00000000000D0000-0x00000000000E6000-memory.dmp	eternity_clipper
behavioral1/memory/620-97-0x00000000000D0000-0x00000000000E6000-memory.dmp	eternity_clipper
behavioral1/memory/620-99-0x0000000004D80000-0x0000000004DC0000-memory.dmp	eternity_clipper
behavioral1/memory/1480-116-0x0000000000080000-0x0000000000096000-memory.dmp	eternity_clipper
behavioral1/memory/1480-120-0x0000000000080000-0x0000000000096000-memory.dmp	eternity_clipper
behavioral1/memory/1480-123-0x0000000000080000-0x0000000000096000-memory.dmp	eternity_clipper
behavioral1/memory/1480-125-0x00000000050E0000-0x0000000005120000-memory.dmp	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
364	Microsoft windows defenders.exe
2168	Microsoft windows defenders.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 2504	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	28
PID 364 set thread context of 620	364	Microsoft windows defenders.exe	38
PID 2168 set thread context of 1480	2168	Microsoft windows defenders.exe	45

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1684	schtasks.exe
3024	schtasks.exe
2664	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2504	csc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe
Token: SeDebugPrivilege	2504	csc.exe
Token: SeDebugPrivilege	364	Microsoft windows defenders.exe
Token: SeDebugPrivilege	2168	Microsoft windows defenders.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2504	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	28
PID 2020 wrote to memory of 2504	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	28
PID 2020 wrote to memory of 2504	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	28
PID 2020 wrote to memory of 2504	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	28
PID 2020 wrote to memory of 2504	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	28
PID 2020 wrote to memory of 2504	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	28
PID 2020 wrote to memory of 2504	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	28
PID 2020 wrote to memory of 2504	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	28
PID 2020 wrote to memory of 2504	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	28
PID 2020 wrote to memory of 2976	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	29
PID 2020 wrote to memory of 2976	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	29
PID 2020 wrote to memory of 2976	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	29
PID 2020 wrote to memory of 2976	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	29
PID 2976 wrote to memory of 3024	2976	cmd.exe	31
PID 2976 wrote to memory of 3024	2976	cmd.exe	31
PID 2976 wrote to memory of 3024	2976	cmd.exe	31
PID 2976 wrote to memory of 3024	2976	cmd.exe	31
PID 2020 wrote to memory of 3008	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	32
PID 2020 wrote to memory of 3008	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	32
PID 2020 wrote to memory of 3008	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	32
PID 2020 wrote to memory of 3008	2020	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	32
PID 2608 wrote to memory of 364	2608	taskeng.exe	37
PID 2608 wrote to memory of 364	2608	taskeng.exe	37
PID 2608 wrote to memory of 364	2608	taskeng.exe	37
PID 2608 wrote to memory of 364	2608	taskeng.exe	37
PID 2608 wrote to memory of 364	2608	taskeng.exe	37
PID 2608 wrote to memory of 364	2608	taskeng.exe	37
PID 2608 wrote to memory of 364	2608	taskeng.exe	37
PID 364 wrote to memory of 620	364	Microsoft windows defenders.exe	38
PID 364 wrote to memory of 620	364	Microsoft windows defenders.exe	38
PID 364 wrote to memory of 620	364	Microsoft windows defenders.exe	38
PID 364 wrote to memory of 620	364	Microsoft windows defenders.exe	38
PID 364 wrote to memory of 620	364	Microsoft windows defenders.exe	38
PID 364 wrote to memory of 620	364	Microsoft windows defenders.exe	38
PID 364 wrote to memory of 620	364	Microsoft windows defenders.exe	38
PID 364 wrote to memory of 620	364	Microsoft windows defenders.exe	38
PID 364 wrote to memory of 620	364	Microsoft windows defenders.exe	38
PID 364 wrote to memory of 2916	364	Microsoft windows defenders.exe	39
PID 364 wrote to memory of 2916	364	Microsoft windows defenders.exe	39
PID 364 wrote to memory of 2916	364	Microsoft windows defenders.exe	39
PID 364 wrote to memory of 2916	364	Microsoft windows defenders.exe	39
PID 2916 wrote to memory of 2664	2916	cmd.exe	41
PID 2916 wrote to memory of 2664	2916	cmd.exe	41
PID 2916 wrote to memory of 2664	2916	cmd.exe	41
PID 2916 wrote to memory of 2664	2916	cmd.exe	41
PID 364 wrote to memory of 2268	364	Microsoft windows defenders.exe	42
PID 364 wrote to memory of 2268	364	Microsoft windows defenders.exe	42
PID 364 wrote to memory of 2268	364	Microsoft windows defenders.exe	42
PID 364 wrote to memory of 2268	364	Microsoft windows defenders.exe	42
PID 2608 wrote to memory of 2168	2608	taskeng.exe	44
PID 2608 wrote to memory of 2168	2608	taskeng.exe	44
PID 2608 wrote to memory of 2168	2608	taskeng.exe	44
PID 2608 wrote to memory of 2168	2608	taskeng.exe	44
PID 2608 wrote to memory of 2168	2608	taskeng.exe	44
PID 2608 wrote to memory of 2168	2608	taskeng.exe	44
PID 2608 wrote to memory of 2168	2608	taskeng.exe	44
PID 2168 wrote to memory of 1480	2168	Microsoft windows defenders.exe	45
PID 2168 wrote to memory of 1480	2168	Microsoft windows defenders.exe	45
PID 2168 wrote to memory of 1480	2168	Microsoft windows defenders.exe	45
PID 2168 wrote to memory of 1480	2168	Microsoft windows defenders.exe	45
PID 2168 wrote to memory of 1480	2168	Microsoft windows defenders.exe	45
PID 2168 wrote to memory of 1480	2168	Microsoft windows defenders.exe	45
PID 2168 wrote to memory of 1480	2168	Microsoft windows defenders.exe	45
PID 2168 wrote to memory of 1480	2168	Microsoft windows defenders.exe	45

C:\Users\Admin\AppData\Local\Temp\348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe
"C:\Users\Admin\AppData\Local\Temp\348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe" "C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe"
  2⤵
  PID:3008

C:\Windows\system32\taskeng.exe
taskeng.exe {6C0F128F-8045-4FDC-9524-D86DB4933FDE} S-1-5-21-4159544280-4273523227-683900707-1000:UMAXQRGK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe" "C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe"
    3⤵
    PID:2268
- C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe'" /f
    3⤵
    PID:1856
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe" "C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe"
    3⤵
    PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe

Filesize
3.0MB

MD5
4dcc578f59fbcd01a367501fa1d4f42f

SHA1
d4586895aef6e108d6d7fd248f4d3daef151138c

SHA256
348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452

SHA512
996d0233cbaac937b24bb8c50dc99876656c9912401ece028e6d16f62d0b0b888c1808aad9ddf9fbb5aa86288c921f70dec402c960e4854b1dcbfb2d1b737ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe

Filesize
3.0MB

MD5
4dcc578f59fbcd01a367501fa1d4f42f

SHA1
d4586895aef6e108d6d7fd248f4d3daef151138c

SHA256
348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452

SHA512
996d0233cbaac937b24bb8c50dc99876656c9912401ece028e6d16f62d0b0b888c1808aad9ddf9fbb5aa86288c921f70dec402c960e4854b1dcbfb2d1b737ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe

Filesize
3.0MB

MD5
4dcc578f59fbcd01a367501fa1d4f42f

SHA1
d4586895aef6e108d6d7fd248f4d3daef151138c

SHA256
348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452

SHA512
996d0233cbaac937b24bb8c50dc99876656c9912401ece028e6d16f62d0b0b888c1808aad9ddf9fbb5aa86288c921f70dec402c960e4854b1dcbfb2d1b737ce0

Download Submit
memory/364-101-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/364-76-0x0000000000140000-0x00000000001A2000-memory.dmp

Filesize
392KB

Download
memory/364-77-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/364-79-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/620-100-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/620-99-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/620-98-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/620-97-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/620-90-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/620-94-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/1480-120-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/1480-123-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/1480-116-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/1480-126-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/1480-125-0x00000000050E0000-0x0000000005120000-memory.dmp

Filesize
256KB

Download
memory/1480-124-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2020-56-0x0000000000AB0000-0x0000000000AF0000-memory.dmp

Filesize
256KB

Download
memory/2020-55-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2020-71-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2020-54-0x0000000000EE0000-0x0000000000F42000-memory.dmp

Filesize
392KB

Download
memory/2168-103-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-104-0x0000000001250000-0x00000000012B2000-memory.dmp

Filesize
392KB

Download
memory/2168-105-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2168-127-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-67-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-58-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2504-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2504-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2504-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2504-73-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/2504-72-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-68-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/2504-66-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2504-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2504-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2504-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads