eternity | 44ab0ff07eacdeb0f74bffffd16ba826f6a6d7676df320303e0d960122ce51f5

General

Target

Stealer.exe
Size

335KB
MD5

841ce3b003ee2d41c5c6b53a983f31c1
SHA1

5127475b042a5aaa8ac869d7024082d701a71aad
SHA256

a5321ffc44084cba8e5bedc4fe98bc151b5f90a01192fa8d695ffcb0c8363ebd
SHA512

18bf3713cf4d2e23346a70801918b5df4c7cf6d10bda15aba64b92881c5d2b66dfa0bc2f8524e031bb7fc739cdc5177c217f12213083f5cbe0d117632bd7e6a6
SSDEEP

6144:AwzO189USPgbr8zExVQQdCZiBeB5y0vN4t/xZAbANK:AwzO18CS4xCZi70F8

Score

10^/10

eternity collection spyware stealer

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Stealer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Stealer.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Stealer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Stealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Stealer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Stealer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Stealer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Stealer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Stealer.exe

pid process

1952 Stealer.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Stealer.exe

description pid process

Token: SeDebugPrivilege 1952 Stealer.exe

pid	process
1952	Stealer.exe

description	pid	process
Token: SeDebugPrivilege	1952	Stealer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Stealer.execmd.exe

description	pid	process	target process
PID 1952 wrote to memory of 2680	1952	Stealer.exe	cmd.exe
PID 1952 wrote to memory of 2680	1952	Stealer.exe	cmd.exe
PID 1952 wrote to memory of 2680	1952	Stealer.exe	cmd.exe
PID 2680 wrote to memory of 2532	2680	cmd.exe	chcp.com
PID 2680 wrote to memory of 2532	2680	cmd.exe	chcp.com
PID 2680 wrote to memory of 2532	2680	cmd.exe	chcp.com
PID 2680 wrote to memory of 2524	2680	cmd.exe	netsh.exe
PID 2680 wrote to memory of 2524	2680	cmd.exe	netsh.exe
PID 2680 wrote to memory of 2524	2680	cmd.exe	netsh.exe
PID 2680 wrote to memory of 2832	2680	cmd.exe	findstr.exe
PID 2680 wrote to memory of 2832	2680	cmd.exe	findstr.exe
PID 2680 wrote to memory of 2832	2680	cmd.exe	findstr.exe

outlook_office_path 1 IoCs

Processes:

Stealer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Stealer.exe

outlook_win_path 1 IoCs

Processes:

Stealer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Stealer.exe

C:\Users\Admin\AppData\Local\Temp\Stealer.exe
"C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1952

C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2532

C:\Windows\system32\netsh.exe
netsh wlan show profile
3⤵
PID:2524

C:\Windows\system32\findstr.exe
findstr All
3⤵
PID:2832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-0-0x0000000000A60000-0x0000000000ABA000-memory.dmp

Filesize
360KB

Download
memory/1952-1-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1952-2-0x000000001B180000-0x000000001B200000-memory.dmp

Filesize
512KB

Download
memory/1952-3-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1952-4-0x000000001B180000-0x000000001B200000-memory.dmp

Filesize
512KB

Download
memory/1952-5-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads