eternity | a5321ffc44084cba8e5bedc4fe98bc151b5f90a01192fa8d695ffcb0c8363ebd | Triage

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 07:29 UTC

Sharing

Report Analysis Logs

General

Target

Stealer.exe
Size

335KB
MD5

841ce3b003ee2d41c5c6b53a983f31c1
SHA1

5127475b042a5aaa8ac869d7024082d701a71aad
SHA256

a5321ffc44084cba8e5bedc4fe98bc151b5f90a01192fa8d695ffcb0c8363ebd
SHA512

18bf3713cf4d2e23346a70801918b5df4c7cf6d10bda15aba64b92881c5d2b66dfa0bc2f8524e031bb7fc739cdc5177c217f12213083f5cbe0d117632bd7e6a6
SSDEEP

6144:AwzO189USPgbr8zExVQQdCZiBeB5y0vN4t/xZAbANK:AwzO18CS4xCZi70F8

Score

10^/10

eternity collection spyware stealer

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

Email Collection

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Stealer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Stealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Stealer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Stealer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Stealer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
956	Stealer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	Stealer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 2660	956	Stealer.exe	29
PID 956 wrote to memory of 2660	956	Stealer.exe	29
PID 956 wrote to memory of 2660	956	Stealer.exe	29
PID 2660 wrote to memory of 2008	2660	cmd.exe	31
PID 2660 wrote to memory of 2008	2660	cmd.exe	31
PID 2660 wrote to memory of 2008	2660	cmd.exe	31
PID 2660 wrote to memory of 2656	2660	cmd.exe	32
PID 2660 wrote to memory of 2656	2660	cmd.exe	32
PID 2660 wrote to memory of 2656	2660	cmd.exe	32
PID 2660 wrote to memory of 2560	2660	cmd.exe	33
PID 2660 wrote to memory of 2560	2660	cmd.exe	33
PID 2660 wrote to memory of 2560	2660	cmd.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Stealer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Stealer.exe

C:\Users\Admin\AppData\Local\Temp\Stealer.exe
"C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:956
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2008
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:2656
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:2560

Network

DNS

ip-api.com

Stealer.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json

Stealer.exe

Remote address:

208.95.112.1:80

Request

GET /json HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 13 Oct 2023 13:39:12 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

t.me

Stealer.exe

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
DNS

github.com

Stealer.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

140.82.113.3
GET

https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true

Stealer.exe

Remote address:

140.82.113.3:443

Request

GET /L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Server: GitHub.com
Date: Fri, 13 Oct 2023 13:39:17 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.githubcopilot.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events objects-origin.githubusercontent.com *.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ wss://*.actions.githubusercontent.com github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com support.github.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Set-Cookie: _gh_sess=xWv4ILCGFCYmXbXofSKxxV82eZ7pRyjBODOsn%2Bbm8QQsciPyrep23mAfyZo9R8xrWchY4MlG7NXelAZUwvNkuCFt2AXRvqkLUKcgn22Mmye0JjCThqaSHicEFWBhplOzt9cQBCVJmBCcy6DglGmPR77dYzpuO71J2nRdtWQARQXKCTH75C2ssS9hY5zm8rZgHMcO34f0rsWLXOMYHncOiF5MvpjbxdyViun%2FqIznSo2QUEri6J5jU3vnz4BsB067ED929UcayODWEMu%2FfalFKQ%3D%3D--uNH0rm5vNg7hkZ%2FC--Y4KJJ2ByCLtvvqcZMcYyTw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
Set-Cookie: _octo=GH1.1.1705990593.1697204357; Path=/; Domain=github.com; Expires=Sun, 13 Oct 2024 13:39:17 GMT; Secure; SameSite=Lax
Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sun, 13 Oct 2024 13:39:17 GMT; HttpOnly; Secure; SameSite=Lax
Transfer-Encoding: chunked
X-GitHub-Request-Id: C027:6ABC:1C87D2E:283B98B:65294885

208.95.112.1:80

http://ip-api.com/json

http

Stealer.exe

294 B
592 B
5
2

HTTP Request

GET http://ip-api.com/json

HTTP Response

200
149.154.167.99:443

t.me

tls

Stealer.exe

376 B
219 B
5
5
140.82.113.3:443

https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true

tls, http

Stealer.exe

4.2kB
154.2kB
83
113

HTTP Request

GET https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true

HTTP Response

404

8.8.8.8:53

ip-api.com

dns

Stealer.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

t.me

dns

Stealer.exe

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

github.com

dns

Stealer.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

140.82.113.3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-0-0x0000000000CF0000-0x0000000000D4A000-memory.dmp

Filesize
360KB

Download
memory/956-1-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download
memory/956-2-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/956-3-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download
memory/956-4-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download