eternity | a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b

General

Target

a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
Size

1.3MB
MD5

70ef45cb31af0b6f37be051de4170839
SHA1

1539d0c2657b60a8f75d130faf4ae1468263d103
SHA256

a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b
SHA512

f9ec1b19e701fa27e7c4060cd22b99cbb4d710e909f97839c4bfb5b1e70d6216b20a19f6b302cbd0f39cd58a8a42c8d6f91154281fee0676720ae85501df36aa
SSDEEP

24576:PQH3XnBXnXwS64TJxaAZNdaV9m7R4OaJR+zrwC/vNw6mpe:PQHHBXVd4A1bD

Score

10^/10

eternity collection spyware stealer

Malware Config

Extracted

Family

eternity

C2

http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion

Signatures

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/4944-8-0x0000000000400000-0x00000000004A6000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 4944	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	103

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2184	4944	WerFault.exe	103

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
4944	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
4944	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
Token: SeDebugPrivilege	4944	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 3620	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	102
PID 1404 wrote to memory of 3620	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	102
PID 1404 wrote to memory of 3620	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	102
PID 1404 wrote to memory of 4944	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	103
PID 1404 wrote to memory of 4944	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	103
PID 1404 wrote to memory of 4944	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	103
PID 1404 wrote to memory of 4944	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	103
PID 1404 wrote to memory of 4944	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	103
PID 1404 wrote to memory of 4944	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	103
PID 1404 wrote to memory of 4944	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	103
PID 1404 wrote to memory of 4944	1404	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe	103

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe

C:\Users\Admin\AppData\Local\Temp\a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
"C:\Users\Admin\AppData\Local\Temp\a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
  "C:\Users\Admin\AppData\Local\Temp\a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe"
  2⤵
  PID:3620
- C:\Users\Admin\AppData\Local\Temp\a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe
  "C:\Users\Admin\AppData\Local\Temp\a2234ee40097fa832eb3a533840e86de3933cf216fbf8445d2946cb7b61c887b.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1396
    3⤵
    - Program crash
    PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4944 -ip 4944
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF994.tmp

Filesize
220KB

MD5
1f1d78f86bd33bf2e469c379bf4bab09

SHA1
b0d946750103160860fb58f2a288777d748aa8a8

SHA256
2973932f73100e6fdefb0a9f656617764607cee2bec4bf6bff24c055d5dbef39

SHA512
b45846405dabb2d3a2955be476b77cb470a36dc01f321f821a404e1ed6a60a307477b9f35a1cd51c0fa5b67e0bd634bfb2d6ca047993b42871179637401f2b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9A4.tmp

Filesize
4KB

MD5
e4e9b850ebc449efc63af9cba2b60667

SHA1
a208175bde23984a6c3f263b230513709cbed135

SHA256
8d6f476cf09ec31174551fe223fbf1927f36becca0cf6d1fcb890adf2a987ab0

SHA512
cecc91f6d41fdaee5a3d96fb726208f60d84483441bc5858119f54334ee8dbbb5cf11b3eb65f192a2cc321381505e0ca5f7c7c7ad36a8984964cab648a4525c5

Download Submit
memory/1404-13-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1404-0-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1404-4-0x00000000059E0000-0x0000000005AC4000-memory.dmp

Filesize
912KB

Download
memory/1404-5-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1404-6-0x0000000003380000-0x0000000003396000-memory.dmp

Filesize
88KB

Download
memory/1404-7-0x0000000006560000-0x0000000006B04000-memory.dmp

Filesize
5.6MB

Download
memory/1404-1-0x0000000000E00000-0x0000000000F5A000-memory.dmp

Filesize
1.4MB

Download
memory/1404-9-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/1404-2-0x0000000005940000-0x00000000059DC000-memory.dmp

Filesize
624KB

Download
memory/1404-3-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/4944-11-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/4944-14-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/4944-15-0x0000000005F10000-0x0000000005FA2000-memory.dmp

Filesize
584KB

Download
memory/4944-16-0x0000000006190000-0x00000000061E0000-memory.dmp

Filesize
320KB

Download
memory/4944-10-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4944-8-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4944-38-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing