eternity | 160ffdb97712c84d3e7dca1e26924d48cd92afb6c21665df8912cae81cc91d9b

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Clipper.exe
Size

36KB
MD5

a8336c9284c9ef94e43c872a9d851745
SHA1

ddeab3f743a27717697ce67b1efc5ddc9f6f23e9
SHA256

160ffdb97712c84d3e7dca1e26924d48cd92afb6c21665df8912cae81cc91d9b
SHA512

04a7c409c202ff182c8fef28b8bf0dfa1cda362e77940d2c163b5011dfb9980c8221d3caeceb2c4989683f53cb1de910a9b8bcf0ddd5a5d07dcdb7050b4fd68a
SSDEEP

768:qn3vh2w5xJC2KnNfV8od6cZT5pRkLAgSbX6z:q3vtjaVF5p6LQqz

Score

10^/10

eternity clipper

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Wallets

44CXkMKGjDvF7no7BaqUNug1jfk2HbibZVTq5QyxtBndGrGhNCSujURPfPuAF81QPKCg2ircpyCKcQkYLR1hsZsQRtnUJxN

1C4hJT5n1tSiGKWup67DAiJdVv6GhjdN7k

bitcoincash:qp7cvk9y54wavs7ymyxs6dg7dsr4jyww3gl7l0u2qu

0x4B2924cc68f9920179ae27423d1b1AFdF1278a16

DMjAHewovYwGUbBRDjLXcBmRF1zdHHixs1

TM5P1JHRL7B6qRLhu1ETn3Fevhjrr4dS8E

LLUBUSsFjwFVyn66kDy5BjumSuQ2Kr76hR

rKGztQSkFyn5wfPg5Bg6JhXKMnRx2pCyDN

t1dmAv1SZBcsbJUpCHN5TEFNUZdGEjTq8o4

Xvm7enX3tAp3Z8xioepTajnCet8FVWMHV7

GC56QYDSZEO3P353Y7FA4YTLGX7YNMQQ7XGZ7O67RTKN7MLGCXCBIEEM

bnb1ydrtrn5fn0ymphv4mc9n2yes6pjhgxnyj5yd7x

2JC8emeKdhgzT8N8m1m6afvAgagAnp8Xpkvcnk6wNKdn

F2J7WG7RTUAEC7JMTB2GNJ2XS3E5UCBBW2R6MBLWUDKINF5ZF7YQ2WBHNA

Signatures

Detects Eternity clipper 1 IoCs

clipper

resource	yara_rule
behavioral1/memory/1016-0-0x0000000000BD0000-0x0000000000BE0000-memory.dmp	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1020	1016	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	Clipper.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1020	1016	Clipper.exe	28
PID 1016 wrote to memory of 1020	1016	Clipper.exe	28
PID 1016 wrote to memory of 1020	1016	Clipper.exe	28
PID 1016 wrote to memory of 1020	1016	Clipper.exe	28

C:\Users\Admin\AppData\Local\Temp\Clipper.exe
"C:\Users\Admin\AppData\Local\Temp\Clipper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1056
  2⤵
  - Program crash
  PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-0-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download
memory/1016-1-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/1016-2-0x00000000003E0000-0x0000000000420000-memory.dmp

Filesize
256KB

Download
memory/1016-3-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/1016-4-0x00000000003E0000-0x0000000000420000-memory.dmp

Filesize
256KB

Download