Overview

overview

10

Static

static

10

EMV Reader....6.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250314-en
  • resource tags

    arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24/03/2025, 08:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EMV Reader-Writer v8.6/EMV Reader-Writer v8.6.exe

  • Size

    338KB

  • MD5

    6b2aa828fd00b099b6a3f4acb72b96bc

  • SHA1

    cfb0ecfdf321d7f3cf068e40bc24b9e29c8ca686

  • SHA256

    60f53aece03a8119efd11af5a161d354604fa5f92354b4d39018b2f0b781e65b

  • SHA512

    82a5ed821f5e0b02661c88f8d777458703894d8723929dce35c9758e3bcd7d020e8dc27a89e2f7c5eee2f8f92bd69d3a6b3b303d7dc00506c433dfbce0331089

  • SSDEEP

    6144:tEtm1/I1LrZ1GXMe9rg5K33kf5n0RbsmxvHWw1i:tEtmexgMe9v0f5n02w2X

Score
10/10
eternitycollectiondiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

eternity

C2

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Eternity family
    eternity
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EMV Reader-Writer v8.6\EMV Reader-Writer v8.6.exe
    "C:\Users\Admin\AppData\Local\Temp\EMV Reader-Writer v8.6\EMV Reader-Writer v8.6.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:4524
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3132
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:4504
        • C:\Windows\system32\findstr.exe
          findstr All
          3⤵
            PID:5092
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
          2⤵
          • System Network Configuration Discovery: Wi-Fi Discovery
          • Suspicious use of WriteProcessMemory
          PID:2900
          • C:\Windows\system32\chcp.com
            chcp 65001
            3⤵
              PID:4848
            • C:\Windows\system32\netsh.exe
              netsh wlan show profile name="65001" key=clear
              3⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Network Configuration Discovery: Wi-Fi Discovery
              PID:4868
            • C:\Windows\system32\findstr.exe
              findstr Key
              3⤵
                PID:4620

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4524-0-0x00007FF9D7C93000-0x00007FF9D7C95000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4524-1-0x000002233AF00000-0x000002233AF5A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/4524-2-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4524-3-0x00000223556D0000-0x0000022355720000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4524-4-0x00007FF9D7C93000-0x00007FF9D7C95000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4524-5-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp

            Filesize

            10.8MB

            Download