eternity | acc7b7e5b7a0c5e146cf6bc2a21be958d89978798afc479e76df6cf39857547a

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
16-01-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bltool 2.7..2.exe
Size

3.8MB
MD5

e1c3bad47838c6ee4d8696854a5a09a0
SHA1

06a48674f78b840cba9f8e8742b96a274c996f14
SHA256

acc7b7e5b7a0c5e146cf6bc2a21be958d89978798afc479e76df6cf39857547a
SHA512

5c266897401510bbdaa1b83af4372df226c9ee416adcf1a61cd67e4f6970e53c9f9699b02296037305dbac261625dec164cdc70abc7b59a0b048b2fea16e080f
SSDEEP

98304:xl8QhfSIkbonul+rlFgjV+62uoNsrksZ5f:jdfgv+ChZesoa

Score

10^/10

eternity collection spyware stealer

Malware Config

Extracted

Family

eternity

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
2788	babu.exe
2684	z.exe

Loads dropped DLL 7 IoCs

pid	Process
2876	bltool 2.7..2.exe
2876	bltool 2.7..2.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	babu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	babu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	babu.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2596	2684	WerFault.exe	31

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	babu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	babu.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	babu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	babu.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1900	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3032	powershell.exe
2788	babu.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2788	babu.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3032	2876	bltool 2.7..2.exe	28
PID 2876 wrote to memory of 3032	2876	bltool 2.7..2.exe	28
PID 2876 wrote to memory of 3032	2876	bltool 2.7..2.exe	28
PID 2876 wrote to memory of 3032	2876	bltool 2.7..2.exe	28
PID 2876 wrote to memory of 2788	2876	bltool 2.7..2.exe	30
PID 2876 wrote to memory of 2788	2876	bltool 2.7..2.exe	30
PID 2876 wrote to memory of 2788	2876	bltool 2.7..2.exe	30
PID 2876 wrote to memory of 2788	2876	bltool 2.7..2.exe	30
PID 2876 wrote to memory of 2684	2876	bltool 2.7..2.exe	31
PID 2876 wrote to memory of 2684	2876	bltool 2.7..2.exe	31
PID 2876 wrote to memory of 2684	2876	bltool 2.7..2.exe	31
PID 2876 wrote to memory of 2684	2876	bltool 2.7..2.exe	31
PID 2684 wrote to memory of 2596	2684	z.exe	32
PID 2684 wrote to memory of 2596	2684	z.exe	32
PID 2684 wrote to memory of 2596	2684	z.exe	32
PID 2684 wrote to memory of 2596	2684	z.exe	32
PID 2788 wrote to memory of 2620	2788	babu.exe	34
PID 2788 wrote to memory of 2620	2788	babu.exe	34
PID 2788 wrote to memory of 2620	2788	babu.exe	34
PID 2620 wrote to memory of 1736	2620	cmd.exe	36
PID 2620 wrote to memory of 1736	2620	cmd.exe	36
PID 2620 wrote to memory of 1736	2620	cmd.exe	36
PID 2620 wrote to memory of 2012	2620	cmd.exe	37
PID 2620 wrote to memory of 2012	2620	cmd.exe	37
PID 2620 wrote to memory of 2012	2620	cmd.exe	37
PID 2620 wrote to memory of 1912	2620	cmd.exe	38
PID 2620 wrote to memory of 1912	2620	cmd.exe	38
PID 2620 wrote to memory of 1912	2620	cmd.exe	38
PID 2788 wrote to memory of 1048	2788	babu.exe	39
PID 2788 wrote to memory of 1048	2788	babu.exe	39
PID 2788 wrote to memory of 1048	2788	babu.exe	39
PID 1048 wrote to memory of 1880	1048	cmd.exe	41
PID 1048 wrote to memory of 1880	1048	cmd.exe	41
PID 1048 wrote to memory of 1880	1048	cmd.exe	41
PID 1048 wrote to memory of 1900	1048	cmd.exe	42
PID 1048 wrote to memory of 1900	1048	cmd.exe	42
PID 1048 wrote to memory of 1900	1048	cmd.exe	42

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	babu.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	babu.exe

C:\Users\Admin\AppData\Local\Temp\bltool 2.7..2.exe
"C:\Users\Admin\AppData\Local\Temp\bltool 2.7..2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AagBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAcQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAZgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBhACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\babu.exe
  "C:\Users\Admin\AppData\Local\Temp\babu.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2788
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1736
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:2012
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:1912
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\babu.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1880
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1900
- C:\Users\Admin\AppData\Local\Temp\z.exe
  "C:\Users\Admin\AppData\Local\Temp\z.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 668
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\z.exe

Filesize
3.4MB

MD5
528b540e2aec29669239482dc9979f4c

SHA1
1ea8bb0122777f6e4223820c7873486935123a6b

SHA256
28f71e8f8c650b109771f51695785420401839499e15e41a2c634bce4ab5456c

SHA512
f96bcc3ae1185bf1fba2f59c0550d0c721c4d5692e31d705fa5a8115699697c529b41aed54d4d7fe1b9754d6d21bbfd714c05a3add3b4cbe025cf089110098f6

Download Submit
\Users\Admin\AppData\Local\Temp\babu.exe

Filesize
336KB

MD5
992ebc4c599ca9b6f7e6b1a843609e7d

SHA1
58afffc9df3f3c3b5911bcd77ac843d046ef8dbb

SHA256
73d5c4d972107c9bf50f0366a4e8466a3fec84009ccc080e51febe5393708ed4

SHA512
768eda1dc9f692564f51a59c479daf048854560b320143e910da77180cdcc2c0bd957f17411041a86abf08f08d2a00ea8cfd37c393edbd812cb2c1dde18fbb8c

Download Submit
\Users\Admin\AppData\Local\Temp\z.exe

Filesize
2.8MB

MD5
aaaee21203f0d264c70988507e0fb4c1

SHA1
ade62173c6c27499e5f4a11d189c2b115d649375

SHA256
d6a3c8e779354b6cb928e518c7c2aedbfc350bfa0d16cee9df89f1131c8b90f5

SHA512
27e5814d2c9ea07e026ca5cf6a102ba225b02c38699d84de42e58148e2e3c30d73ceb6d4cfa0afd106c9c7e5351c3d9a9ea2fb4368a0cb151a74777234e40ce2

Download Submit
\Users\Admin\AppData\Local\Temp\z.exe

Filesize
2.7MB

MD5
5ffe0d4affb2315fcf416811bd39af88

SHA1
847b6de285a9e012a94f26a9e691e4f3753440ec

SHA256
8776d2b844dcd64b622933909f1bee249a48fdcc405fd14bdfce07db3bc97206

SHA512
ac254f9214307cf737ae94e71e61a218519b472f8aae656128cd345e42a8d46cf70373bc66306e184237d81ac2bb6a9fa1323417803759911f9ff031970fb666

Download Submit
\Users\Admin\AppData\Local\Temp\z.exe

Filesize
2.7MB

MD5
a4a2751a3f0d9cdaf3494c911e64be12

SHA1
75c7b59c6d91b687748272a63b9f71f42c943fcc

SHA256
a65578f3534ccab1b50c98853052e5f81eb7c9ebdda0be7325b7ce5c01972159

SHA512
860337287cc346125d1b517723f567e89dd329410c85211afe5b3b6c8502c930a6ddf64670e0922764ae8b1929addfdd08956bb381fe96d3bc53aab10d90b057

Download Submit
\Users\Admin\AppData\Local\Temp\z.exe

Filesize
2.7MB

MD5
e2966bddd33e3690c9b64e8d53c8a075

SHA1
6d78a66d00b1000c3de6967d39815b600aadac36

SHA256
5ca38b20f5fa78b6cb129e5d6893a9bf0e20a80b7e87a6cb750ec67e07a624bf

SHA512
f31ab951f1c04950f2a343c39aeab4da4bc5ac78b177e7323704cbe7930ed26dca38736a043ebd8c5f18a731c59547b14d775d5521c27d90c4d1907d25aebd9d

Download Submit
memory/2684-33-0x00000000007E0000-0x0000000000820000-memory.dmp

Filesize
256KB

Download
memory/2684-32-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-21-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-24-0x00000000007E0000-0x0000000000820000-memory.dmp

Filesize
256KB

Download
memory/2684-16-0x0000000000150000-0x00000000004BA000-memory.dmp

Filesize
3.4MB

Download
memory/2788-31-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2788-23-0x00000000008F0000-0x0000000000970000-memory.dmp

Filesize
512KB

Download
memory/2788-17-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2788-15-0x0000000000990000-0x00000000009EA000-memory.dmp

Filesize
360KB

Download
memory/3032-19-0x0000000002420000-0x0000000002460000-memory.dmp

Filesize
256KB

Download
memory/3032-29-0x00000000727B0000-0x0000000072D5B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-22-0x0000000002420000-0x0000000002460000-memory.dmp

Filesize
256KB

Download
memory/3032-20-0x00000000727B0000-0x0000000072D5B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-18-0x00000000727B0000-0x0000000072D5B000-memory.dmp

Filesize
5.7MB

Download