eternity | 8b978cea455f253e274933089679a398069a42108e037cb3f930f168fb89c3cb

Analysis

max time kernel
76s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2023, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Size

37KB
MD5

0b5ab18b1fb6b220e32a614dfb5b4de2
SHA1

42b2d5dcf34395173b96899113d42080f0053643
SHA256

8b978cea455f253e274933089679a398069a42108e037cb3f930f168fb89c3cb
SHA512

999bcc43833f18abf11804bec0acc419a03dbce7ebc3900dfd3cdb5fe8e66af5baa71f8961c13d7a38162e73206ae245d3eb2ef6eb24d1b17de001f6b6324bf7
SSDEEP

768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Score

10^/10

eternity redline smokeloader @oleh_ps backdoor infostealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://81.19.131.34/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

@oleh_ps

176.123.7.190:32927

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000230f8-23.dat	family_redline
behavioral2/memory/4324-28-0x0000000000A60000-0x0000000000A9C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
3172	Process not Found

Executes dropped EXE 4 IoCs

pid	Process
4204	9788.exe
860	16DB.exe
1780	1D15.exe
4324	2072.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 1616	1780	1D15.exe	110

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b5ab18b1fb6b220e32a614dfb5b4de2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4472	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
4472	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4472	0b5ab18b1fb6b220e32a614dfb5b4de2.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 4204	3172	Process not Found	103
PID 3172 wrote to memory of 4204	3172	Process not Found	103
PID 3172 wrote to memory of 4204	3172	Process not Found	103
PID 3172 wrote to memory of 860	3172	Process not Found	106
PID 3172 wrote to memory of 860	3172	Process not Found	106
PID 3172 wrote to memory of 860	3172	Process not Found	106
PID 3172 wrote to memory of 1780	3172	Process not Found	107
PID 3172 wrote to memory of 1780	3172	Process not Found	107
PID 3172 wrote to memory of 1780	3172	Process not Found	107
PID 3172 wrote to memory of 4324	3172	Process not Found	108
PID 3172 wrote to memory of 4324	3172	Process not Found	108
PID 3172 wrote to memory of 4324	3172	Process not Found	108
PID 1780 wrote to memory of 3512	1780	1D15.exe	109
PID 1780 wrote to memory of 3512	1780	1D15.exe	109
PID 1780 wrote to memory of 3512	1780	1D15.exe	109
PID 1780 wrote to memory of 1616	1780	1D15.exe	110
PID 1780 wrote to memory of 1616	1780	1D15.exe	110
PID 1780 wrote to memory of 1616	1780	1D15.exe	110
PID 1780 wrote to memory of 1616	1780	1D15.exe	110
PID 1780 wrote to memory of 1616	1780	1D15.exe	110
PID 1780 wrote to memory of 1616	1780	1D15.exe	110
PID 1780 wrote to memory of 1616	1780	1D15.exe	110
PID 1780 wrote to memory of 1616	1780	1D15.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0b5ab18b1fb6b220e32a614dfb5b4de2.exe
"C:\Users\Admin\AppData\Local\Temp\0b5ab18b1fb6b220e32a614dfb5b4de2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4472

C:\Users\Admin\AppData\Local\Temp\9788.exe
C:\Users\Admin\AppData\Local\Temp\9788.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\16DB.exe
C:\Users\Admin\AppData\Local\Temp\16DB.exe
1⤵
- Executes dropped EXE
PID:860
- C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
  2⤵
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:4920
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:3656
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:4356

C:\Users\Admin\AppData\Local\Temp\1D15.exe
C:\Users\Admin\AppData\Local\Temp\1D15.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
    3⤵
    PID:3860

C:\Users\Admin\AppData\Local\Temp\2072.exe
C:\Users\Admin\AppData\Local\Temp\2072.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\AppData\Local\Temp\44F3.exe
C:\Users\Admin\AppData\Local\Temp\44F3.exe
1⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\4CE3.exe
C:\Users\Admin\AppData\Local\Temp\4CE3.exe
1⤵
PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16DB.exe

Filesize
20.7MB

MD5
d0c59443e41e1160209139841fa39c9f

SHA1
76be0077ce9dc5ef6756b8c202a6d5d94c759535

SHA256
de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c

SHA512
d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D15.exe

Filesize
279KB

MD5
0de1d0372e15bbfeded7fb418e8c00ae

SHA1
6d0dc8617e5bcdd48dd5b45d8f40b97e4bbce0a1

SHA256
98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502

SHA512
7b3f2d2cc3fce6707be938053fd94a8a5edb48f7dad787847bd362329b6f07657fd7f66ab1f5c5d78db12aa7a41717ea3c7cbe8a1706d2456d1c42e9b1fb4e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\2072.exe

Filesize
219KB

MD5
91d23595c11c7ee4424b6267aabf3600

SHA1
ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

SHA256
d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

SHA512
cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
832KB

MD5
4a9e40fa8264d6e63bf044600ae92ec1

SHA1
917d952821b9c1ae38205a036ee4540afdf48f8a

SHA256
611487839bfadd009afa344945503a08ea240b2b966b924ab6c0cc160995798d

SHA512
1a1a1eb60e1710e6ad89bc3c4e7d87d032a463f905d03ff7f1a8bfc18ed81cb96951fe315659526b2ce40a55d05de3601c19643a17b915c1bb4efed43aaeea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
704KB

MD5
c2f66d15f2d6c660047154704e7d186c

SHA1
36f72e94b82ed17f36d0ca722ada953b0ebc5bf4

SHA256
8cf00f2d21fe713193ada5cb47b37be9d872fbff4d025ed14567785c09411f1c

SHA512
3126404938b881d2d5520a1f5e2a5274d4bad56556087f7702a620256930736e10db1ac324e2c46991a7322a99270eef47087dc7d8c405691a683db012cf4f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\44F3.exe

Filesize
576KB

MD5
f9a9f70bf5d417c3b01b651549cb4229

SHA1
9032cb2d2ab901276640cc29b76bd65774132b19

SHA256
83b49507b64922720a68aa0f0fec49f48209fa64126d5e89366a7267637512cd

SHA512
845aa421a8da4e098f4df86957200d736adce0047bbfda652d1c2fd962b5ede9486994c63fed07b56de8bd94d6bdf42f4346aa92690cdfaaaf3ffd45849f7f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\9788.exe

Filesize
401KB

MD5
f88edad62a7789c2c5d8047133da5fa7

SHA1
41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

SHA256
eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

SHA512
e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
832KB

MD5
4dc703a1292f7ae81a10105c0ce28a43

SHA1
ae0ee928db8037ca0a34031b556d2ea62fc4d96e

SHA256
c13a9f933aba7ada1740067f68a93613c0e4ec3266d9bfe5c0ab8bd278fc4312

SHA512
e3c3d804127edb4819362b26724c3d3e9712355175ace7a1a00add09def1bdf759332b0f4fade43491a26a530a0ccd6bb0be1a344d77b7b358b4dfb71ba5c8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
2.3MB

MD5
77471d919a5e2151fb49f37c315af514

SHA1
0687047ed80aa348bdc1657731f21181995b654c

SHA256
52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1

SHA512
6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
896KB

MD5
0e229517da34b2e84b4d471ad3083bbf

SHA1
37a7bcb538db05c1e6bc32f4fe676c1841be1f4b

SHA256
24d0dc0e173e53c57f7b4cf8f9810658bdc36e40840006a73ab3294f63c1cb89

SHA512
05a5d10204887c1b237914ba1d722ffb13eb0f5bd4243f436882cd7b913468bfefc3acf392349b57ad6982dd4ad7888ad93b47eb4faf2e987978eafd2823a127

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
291KB

MD5
cde750f39f58f1ec80ef41ce2f4f1db9

SHA1
942ea40349b0e5af7583fd34f4d913398a9c3b96

SHA256
0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

SHA512
c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
1.2MB

MD5
312dbad72fbc4a4a97c1c269e0ecae76

SHA1
1d5864b8eb96c1c4fd45667b0a0981643183fa10

SHA256
3afa784ee5c99abf77ca1e6037d2603f9ec187658e854d3ec509164ed858e01b

SHA512
9d2ae8933d0425ae0a71e502b378c2e958a2274f8ce97c40e07e6e9bf9353bc748e0665e9b6f5c7aba0426b180510d2c419616f0167b13ac56398fc88dd31d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
256KB

MD5
8335d6613a3214463ef7b6e4e677e75b

SHA1
9ffc50191767dec85b8b5e42d20ab93bd0ff7294

SHA256
7ec6e003abdae200d11be45647958e6bd3cd3981fe5ff7167486b76095862836

SHA512
fc5a092b60d1e4b8e489d8c1fc03ecb26319a7c60c2f8a5e85a08c89e1177b329c3eba5776609d7550b19cf08c58d3aa6109d1dab2cd10790c3a6f391bef6b91

Download Submit
memory/860-27-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/860-29-0x0000000000E60000-0x0000000002316000-memory.dmp

Filesize
20.7MB

Download
memory/1616-24-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1616-25-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/1616-50-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/1616-30-0x0000000005C90000-0x0000000006234000-memory.dmp

Filesize
5.6MB

Download
memory/2444-84-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3172-1-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/4324-26-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/4324-36-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/4324-28-0x0000000000A60000-0x0000000000A9C000-memory.dmp

Filesize
240KB

Download
memory/4324-33-0x0000000007950000-0x00000000079E2000-memory.dmp

Filesize
584KB

Download
memory/4324-43-0x0000000007B00000-0x0000000007B0A000-memory.dmp

Filesize
40KB

Download
memory/4324-83-0x0000000007BE0000-0x0000000007BF2000-memory.dmp

Filesize
72KB

Download
memory/4472-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4472-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4840-87-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download