eternity | c6d2e587b941ba4be62d9ca99e70db987a3a17a3128508cf69c86ac15e2d589b

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GABB/GABB.exe
Size

5.2MB
MD5

c90ce1a6c8c6185af5c85efa5a3d9eb2
SHA1

b4b2bc553bd0ed22c56c5288cd533f2e9eab1597
SHA256

4bcd41b460dc664cbeb181b9516d6ccc39eb78cfb9f7c106bf904634163a76ac
SHA512

dde898df373f3cdaadee89e7bb387be170e6c7959ecabee92dc8bb6de4de8d8164f51d2ba8b674c2dee33fbcc2700d3aa27cc47c67cd46cb4885791b83423772
SSDEEP

49152:MrC6q5wyKyKyKyKyOVoeWRd2Ru1j0IAibunmqJNAivkCnVHMDsXO1ak2zmByg2z3:MrGw////+F4rSO0Yhsp9v3eEj53f

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/1700-1-0x00000000007C0000-0x0000000000CA0000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	GABB.exe

Executes dropped EXE 1 IoCs

pid	Process
1524	GABB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	GABB.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1524	1700	GABB.exe	81
PID 1700 wrote to memory of 1524	1700	GABB.exe	81
PID 1700 wrote to memory of 1524	1700	GABB.exe	81

C:\Users\Admin\AppData\Local\Temp\GABB\GABB.exe
"C:\Users\Admin\AppData\Local\Temp\GABB\GABB.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\2bcuhocz.z0b\GABB.exe
  "C:\Users\Admin\AppData\Local\Temp\2bcuhocz.z0b\GABB.exe"
  2⤵
  - Executes dropped EXE
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2bcuhocz.z0b\GABB.exe

Filesize
1.8MB

MD5
23b71563af5ff450418a5bacfe63d4e3

SHA1
e0710c35bdd94aee3952a720fff1ec16eb40761b

SHA256
0518340706e89adb60325d1ea1106c0ea8f69da2ecbd2ef85385edd923eb0b88

SHA512
e55402adc03ff4b4c90256c4b4bb7d3a7f8b7a1bb87b73d1c6bcfe5a0ab17758e53805c00f78a4d3992ef7541ea46adabe2dbc84a8af768ea9c04eb2e23b86f3

Download Submit
memory/1524-15-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/1524-18-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/1524-23-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1524-20-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1524-16-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/1524-13-0x0000000000310000-0x00000000004EC000-memory.dmp

Filesize
1.9MB

Download
memory/1524-19-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1524-17-0x0000000005720000-0x000000000572A000-memory.dmp

Filesize
40KB

Download
memory/1700-12-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-14-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-0-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp

Filesize
8KB

Download
memory/1700-2-0x000000001BB70000-0x000000001BD88000-memory.dmp

Filesize
2.1MB

Download
memory/1700-1-0x00000000007C0000-0x0000000000CA0000-memory.dmp

Filesize
4.9MB

Download
memory/1700-21-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp

Filesize
8KB

Download
memory/1700-22-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-3-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download