eternity | 348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452

General

Target

348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe
Size

3.0MB
MD5

4dcc578f59fbcd01a367501fa1d4f42f
SHA1

d4586895aef6e108d6d7fd248f4d3daef151138c
SHA256

348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452
SHA512

996d0233cbaac937b24bb8c50dc99876656c9912401ece028e6d16f62d0b0b888c1808aad9ddf9fbb5aa86288c921f70dec402c960e4854b1dcbfb2d1b737ce0
SSDEEP

6144:29xMcYa+tnoCNsBEODVcTC6GJNS2zQiAkrOb8pgoc6vyNIfhoqBnbFgcWsM:2ccZ+JSPhomgcWD

Score

10^/10

eternity clipper

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Wallets

bc1qe7z6nlxlx27fgr6ytsat6hz5t3sl0nsdtmhamn

qr47e98jys35s5npdwt5mfeq0jlvvff5rc2lshtxp2

0x2433680E4f5faA462041cC17237A898c4eE178c5

0xdbCedAEF11817bad20b278eB28d3AfEDa4C63C54

DSGVHd7VFkL6WeuEgSwst8hQfJ1jCAeiSW

TWuMkEbgzUdTLSW1dHgKT5MhFk4Qc9yMKW

ltc1qkee6dw657yp3l3xls8f5q9tva0we3m0lahf4ht

rhfQuFy8Gse1FinEHxsgCxwonKuUnMr73U

t1XHKggRimUkPvjBvW2Aum4UudRhujhMQgn

XfZro7RFb7SdHPhoJh1aXhRouaGdg3wtPr

GALTQXW2QSOIENOE7SVJAQYTKSN7DJ4JFUITAIK3AD3QSW7EQKOSRZDT

bnb16fchdnr90kqp8g3ujperk7r5kkrg3xuystg82z

6A7E4DchBSBt9bQgmKDZ3AW7g5Pshsh6qu4GGQgkJYDz

Signatures

Detects Eternity clipper 1 IoCs

clipper

resource	yara_rule
behavioral2/memory/4600-137-0x0000000000400000-0x0000000000416000-memory.dmp	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 1 IoCs

pid	Process
4052	Microsoft windows defenders.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 4600	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	81

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1324	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4600	csc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe
Token: SeDebugPrivilege	4600	csc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 4600	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	81
PID 2352 wrote to memory of 4600	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	81
PID 2352 wrote to memory of 4600	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	81
PID 2352 wrote to memory of 4600	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	81
PID 2352 wrote to memory of 4600	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	81
PID 2352 wrote to memory of 4600	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	81
PID 2352 wrote to memory of 4600	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	81
PID 2352 wrote to memory of 4600	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	81
PID 2352 wrote to memory of 5068	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	82
PID 2352 wrote to memory of 5068	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	82
PID 2352 wrote to memory of 5068	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	82
PID 5068 wrote to memory of 1324	5068	cmd.exe	84
PID 5068 wrote to memory of 1324	5068	cmd.exe	84
PID 5068 wrote to memory of 1324	5068	cmd.exe	84
PID 2352 wrote to memory of 1696	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	85
PID 2352 wrote to memory of 1696	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	85
PID 2352 wrote to memory of 1696	2352	348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe	85

C:\Users\Admin\AppData\Local\Temp\348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe
"C:\Users\Admin\AppData\Local\Temp\348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\348cc43725f4e3547e7ac1c95a3ef094b2a769393829f4dadbe4882dd41e6452.exe" "C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe"
  2⤵
  PID:1696

C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe"
1⤵
- Executes dropped EXE
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe

Filesize
1.9MB

MD5
b948b68c5ef4391bafb5310ae8f1edfc

SHA1
9fe11f45072c307e532573eb2ce17a3c66506206

SHA256
f4bf0f6dbb16984214405c83f6dc68f7385d5c25a3bafe48e1aa1d6b9b4bff75

SHA512
3fb155ce626aa68794a21638ff1c97acc9b9191390acce49267399eae4694406563537b72484dc79ccf3115696dbd94ba24a647dd050bd7685bec39bb393dbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft windows defenders\Microsoft windows defenders.exe

Filesize
1.3MB

MD5
f547b1389c36620133380c94b6e4b518

SHA1
8eb036203ad628e67d3b6f6f3cc9b231f1add201

SHA256
be8d8a90cc86a77f0f573213438b62c8ba4a70d8645ae55961e0f4eb6a67d07c

SHA512
da2d2901c7908aa707d4b9a5a2b5c3d405e92679fdc894fedc93c05e167f28ddd2734db7240cc9abcc8730e10a49e949aef57b032a7d84a53adba515db477c59

Download Submit
memory/2352-133-0x0000000000100000-0x0000000000162000-memory.dmp

Filesize
392KB

Download
memory/2352-135-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/2352-136-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/2352-134-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2352-143-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4052-151-0x0000000000860000-0x00000000008C2000-memory.dmp

Filesize
392KB

Download
memory/4052-150-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4600-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4600-146-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4600-147-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4600-145-0x00000000079B0000-0x00000000079BA000-memory.dmp

Filesize
40KB

Download
memory/4600-144-0x0000000006110000-0x00000000061A2000-memory.dmp

Filesize
584KB

Download
memory/4600-139-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4600-138-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads