eternity | ed0d39053bb6af8bfc79d1ab45677b9f0c953a7759b7f4cfd59aa6a7a6ed0c9e

General

Target

SlipWare/SlipWare.exe
Size

32.9MB
MD5

88c7918696a9fd912abae1bae9e15a8b
SHA1

c480587139e54de4e82fd82ccd65edf349c07cc8
SHA256

08bd472c2e983b1438adcd55e93229f00db673dfffc48ab673aca782a9f42ba4
SHA512

b19fb4eacec87b4c1c5ede0bc52ad147e0c271403839cdff385b259a90dff29b32ce94f4f79bd47cc37f16e4dfe83bd9034721ec346af656a1bab0551fb7f1fb
SSDEEP

786432:TJkErUyK2oxbQA3r13zxwr53xJDXQFzfxp0DrJcx0d:TJkEjEbv3rVQ3gzCJcxW

Score

10^/10

eternity pyinstaller stealer

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral5/memory/2456-1-0x0000000001090000-0x0000000003162000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SlipWare.exe	SlipWare.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SlipWare.exe	SlipWare.exe

Executes dropped EXE 3 IoCs

pid	Process
3056	SLIPWARE.exe
1740	SLIPWARE.exe
1428	dcd.exe

Loads dropped DLL 4 IoCs

pid	Process
2456	SlipWare.exe
3056	SLIPWARE.exe
1740	SLIPWARE.exe
1200	Process not Found

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral5/files/0x000900000001659d-8.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	SlipWare.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3056	2456	SlipWare.exe	30
PID 2456 wrote to memory of 3056	2456	SlipWare.exe	30
PID 2456 wrote to memory of 3056	2456	SlipWare.exe	30
PID 3056 wrote to memory of 1740	3056	SLIPWARE.exe	31
PID 3056 wrote to memory of 1740	3056	SLIPWARE.exe	31
PID 3056 wrote to memory of 1740	3056	SLIPWARE.exe	31
PID 2456 wrote to memory of 1428	2456	SlipWare.exe	32
PID 2456 wrote to memory of 1428	2456	SlipWare.exe	32
PID 2456 wrote to memory of 1428	2456	SlipWare.exe	32
PID 2456 wrote to memory of 1428	2456	SlipWare.exe	32
PID 2456 wrote to memory of 2512	2456	SlipWare.exe	33
PID 2456 wrote to memory of 2512	2456	SlipWare.exe	33
PID 2456 wrote to memory of 2512	2456	SlipWare.exe	33

C:\Users\Admin\AppData\Local\Temp\SlipWare\SlipWare.exe
"C:\Users\Admin\AppData\Local\Temp\SlipWare\SlipWare.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\p4ekulwz.vb3\SLIPWARE.exe
  "C:\Users\Admin\AppData\Local\Temp\p4ekulwz.vb3\SLIPWARE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\p4ekulwz.vb3\SLIPWARE.exe
    "C:\Users\Admin\AppData\Local\Temp\p4ekulwz.vb3\SLIPWARE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1740
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2456 -s 1872
  2⤵
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI30562\python310.dll

Filesize
4.3MB

MD5
316ce972b0104d68847ab38aba3de06a

SHA1
ca1e227fd7f1cfb1382102320dadef683213024b

SHA256
34f0e44a0d089587e1ea48c1cc4c3164a1819c6db27a7c1b746af46d6388c26e

SHA512
a11da6590a71d977c62b1c26c275763413f6a455e6d85fa052654d05d845dbbe8122bbd8e0a23887f9873d4291382ebbd5df19674ad2dda1cf0ff3206054939b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
\Users\Admin\AppData\Local\Temp\p4ekulwz.vb3\SLIPWARE.exe

Filesize
15.9MB

MD5
d02ffbf31cf8236fe994dc676c8c159f

SHA1
8232e6c516bac5a851b43cd051ca45a48dd03890

SHA256
f44f917d218b8f82ceeaca4fb8e638cc5076aeea69e038f491674657e0a37e06

SHA512
cc985baabb789be8d0ce74a1b3aebb48afcf75fb32bf518a99d704f8869ee71de57e1bf9f4dc52177bb625db7bb47e32529ebd8be95714b4bc5fb09e895d347e

Download Submit
memory/2456-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

Filesize
4KB

Download
memory/2456-1-0x0000000001090000-0x0000000003162000-memory.dmp

Filesize
32.8MB

Download
memory/2456-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-3-0x000000001D660000-0x000000001E682000-memory.dmp

Filesize
16.1MB

Download
memory/2456-4-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-5-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-122-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

Filesize
4KB

Download
memory/2456-123-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-221-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing