eternity | 88283c1be1298e5884b5cbfc02999df22d12365512f4b5133a71d219b3aa631d | Triage

Sharing

General

Target

88283c1be1298e5884b5cbfc02999df22d12365512f4b5133a71d219b3aa631d
Size

415KB
Sample

240417-qfxwjagg98
MD5

01556d60800fcb4fca888509d64d95ad
SHA1

74774e619814d268dc22ed205a320c984658caeb
SHA256

88283c1be1298e5884b5cbfc02999df22d12365512f4b5133a71d219b3aa631d
SHA512

c2617189a09a2fc881bcf4a3ae508696d73dd477fed0291fe12c8f90701aa37c514899391c406bd93f28a2f29dcc26f56aa4ee3d5aa1ed05c1e3ed0d239276a8
SSDEEP

6144:SGhDJzqwg5AH0+FjtdRxZOTAWVqg15Hq2uwwgh1LVVxlshVyxKLYLMAFuSEvi:SMVnXEVqgBZJj0hVyKLYLMA8vi

Score

10^/10

eternity xworm evasion persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.1

C2

104.194.9.116:7000

Mutex

bUezpCDHVjUVS3W9

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845

aes.plain

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Targets

- Target
  
  a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
- Size
  
  455KB
- MD5
  
  c8d9593196962fa5d706a207c16674cd
- SHA1
  
  686a8e674e6615d5cd91f7b2cba0c755054b3f69
- SHA256
  
  a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d
- SHA512
  
  5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf
- SSDEEP
  
  12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK
Score

10^/10

eternity xworm evasion persistence rat trojan
- Detect Xworm Payload
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Creates new service(s)
  persistence
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

eternityxwormevasionpersistencerattrojan

behavioral2

xwormevasionpersistencerattrojan