eternity

Sharing

Copy URL

Twitter E-mail

General

Target

aee33bd68c717670ae12809740991b09.exe
Size

1.7MB
Sample

231126-t4b6hsae3w
MD5

aee33bd68c717670ae12809740991b09
SHA1

2baadc4c17a4355da5dbe1fce026deb1f1b1b040
SHA256

1d456d0972e2de6cc7d5865c00710a3aa75ee4bde546281387c2b5c73244ef5b
SHA512

7b2a8a194548110e8bcedcecf48f177c5acaa0a7e20f96d320e6b16ff736af25e79187a8f448c528d9107e787cddfc8baaf84575eaa3508ad338f43a601464de
SSDEEP

24576:NziwJJIRDgPFGXnI3WMKC9ej6a9DhvhSuW:Nziw7PFGXnI3WMA6a3vQH

Malware Config

Extracted

Family

smokeloader

Version

2022

http://194.49.94.210/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

195.10.205.16:1056

Extracted

Family

redline

Botnet

LFA

91.92.249.95:7124

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Targets

- Target
  
  aee33bd68c717670ae12809740991b09.exe
- Size
  
  1.7MB
- MD5
  
  aee33bd68c717670ae12809740991b09
- SHA1
  
  2baadc4c17a4355da5dbe1fce026deb1f1b1b040
- SHA256
  
  1d456d0972e2de6cc7d5865c00710a3aa75ee4bde546281387c2b5c73244ef5b
- SHA512
  
  7b2a8a194548110e8bcedcecf48f177c5acaa0a7e20f96d320e6b16ff736af25e79187a8f448c528d9107e787cddfc8baaf84575eaa3508ad338f43a601464de
- SSDEEP
  
  24576:NziwJJIRDgPFGXnI3WMKC9ej6a9DhvhSuW:Nziw7PFGXnI3WMA6a3vQH
Score

10^/10

glupteba redline smokeloader @ytlogsbot up3 backdoor discovery dropper evasion infostealer loader persistence rootkit spyware stealer trojan eternity zgrat lfa livetraffic rat
- Detect ZGRat V1
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Modifies boot configuration data using bcdedit
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Manipulates WinMon driver.
  Roottkits write to WinMon to hide PIDs from being detected.
  rootkit evasion
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2