MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternityStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102
SHA3-384 hash: e0f349a206e37f3e5e26db24a09e2091fd81227bfb40b4d619056b5aef321dcbad07e31147a9e7fb8e4bbe0d10116c66
SHA1 hash: 3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f
MD5 hash: cc5fcae70f636b3ffa04811e2a6153f7
humanhash: snake-venus-oxygen-july
File name:cc5fcae70f636b3ffa04811e2a6153f7
Download: download sample
Signature EternityStealer
Create hunting rule
File size:3'467'776 bytes
First seen:2022-11-27 07:22:12 UTC
Last seen:2022-11-27 08:31:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:hHmVzuboSz63u94iSa7e1zLTdiVOiZMR+MJbZ5d:hH86qu94J1nTdiVOyMJbvd
TLSH T13CF523227273BE76D7ACCC30C0C162153FA18F459276FA4AFDBB36A41E023656D87649
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 EternityStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
219c1d87426d8ed8b3e62176d1291f80.exe
Verdict:
Malicious activity
Analysis date:
2022-11-27 07:20:54 UTC
Tags:
loader trojan rat redline
Link:
https://app.any.run/tasks/7dbbbd32-b832-4535-8529-35f2d5f91cc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338967/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13343.8658.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63831057559d07a06f47b782/reports/1e90bbc4-ce63-442b-a072-b691516a7a4d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/513ba24c-633b-4e2f-b2b0-d3248cf6b592
Result
Threat name:
Eternity Worm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121840
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Eternity Worm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754557 Sample: yAwLHyHg9v.exe Startdate: 27/11/2022 Architecture: WINDOWS Score: 100 61 Multi AV Scanner detection for domain / URL 2->61 63 Antivirus detection for URL or domain 2->63 65 Sigma detected: Scheduled temp file as task from temp location 2->65 67 9 other signatures 2->67 9 yAwLHyHg9v.exe 6 2->9         started        13 xeDloyk.exe 2 2->13         started        15 yAwLHyHg9v.exe 2 2->15         started        process3 file4 47 C:\Users\user\AppData\Roaming\xeDloyk.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\tmpE3A5.tmp, XML 9->49 dropped 51 C:\Users\user\AppData\...\yAwLHyHg9v.exe.log, ASCII 9->51 dropped 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->71 73 Self deletion via cmd or bat file 9->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 9->75 77 Injects a PE file into a foreign processes 9->77 17 yAwLHyHg9v.exe 2 9->17         started        19 schtasks.exe 1 9->19         started        79 Multi AV Scanner detection for dropped file 13->79 81 Machine Learning detection for dropped file 13->81 signatures5 process6 process7 21 yAwLHyHg9v.exe 4 17->21         started        26 yAwLHyHg9v.exe 17->26         started        28 conhost.exe 19->28         started        dnsIp8 55 192.168.2.1 unknown unknown 21->55 43 C:\Users\user\AppData\...\yAwLHyHg9v.exe, PE32 21->43 dropped 45 C:\Users\...\yAwLHyHg9v.exe:Zone.Identifier, ASCII 21->45 dropped 69 Self deletion via cmd or bat file 21->69 30 cmd.exe 1 21->30         started        file9 signatures10 process11 signatures12 83 Uses ping.exe to check the status of other devices and networks 30->83 33 yAwLHyHg9v.exe 2 30->33         started        36 PING.EXE 1 30->36         started        39 conhost.exe 30->39         started        41 2 other processes 30->41 process13 dnsIp14 57 Multi AV Scanner detection for dropped file 33->57 59 Machine Learning detection for dropped file 33->59 53 127.0.0.1 unknown unknown 36->53 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-11-26 19:42:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aekwx3bt2e3y2ofkc2xgmbouozxsblc7jde3wlahircx76o6geba._file
Verdict:
malicious
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity evasion
Link:
https://tria.ge/reports/221127-h7tn7adb4v/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Eternity
Malware Config
C2 Extraction:
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe
Unpacked files
SH256 hash:
8a9e7f7d21e85dc3194daf69680a1f7ea4839787cc1e51f67cdff95e283504fa
MD5 hash:
8d9a4a687d4dab4eff13ea213ba893c7
SHA1 hash:
f2056c7b840a8fe3bf3cdf21276d19c6985fedc4
Link:
https://www.unpac.me/results/b8993544-d571-4430-8c84-1338f1f8890e/
SH256 hash:
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951
MD5 hash:
17f511ac04c38cc724a32db5ee6396df
SHA1 hash:
989d1cb5f7e47a84c375b7413928d7ab73e24ff5
Link:
https://www.unpac.me/results/b8993544-d571-4430-8c84-1338f1f8890e/
SH256 hash:
853e833a2817081bab8513acd21674f612d056288b857b004d8cb5ba89cb16da
MD5 hash:
c78494f8696bbfd1ad1c0419a9ec0198
SHA1 hash:
ee3a554dfa99fe9d96f9b60c764eae842bebfc70
Link:
https://www.unpac.me/results/b8993544-d571-4430-8c84-1338f1f8890e/
SH256 hash:
157c7bc8ca35747302c3eb295a487f5ca38cf7c0b4679efb1ad6a1f74e786887
MD5 hash:
0945928511e0ac6a0b58233bee887328
SHA1 hash:
e047e7d702faf8d35ce370c1cd44e260803b5fca
Link:
https://www.unpac.me/results/b8993544-d571-4430-8c84-1338f1f8890e/
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/b8993544-d571-4430-8c84-1338f1f8890e/
SH256 hash:
68c807b63de6213343050f108c84cda3423e00c1ae74548fc340953c07be1c95
MD5 hash:
99e291eecf263bd3525a646b18471c72
SHA1 hash:
f3fe3167ea8ebc00913a37c9486f13b99c49feaa
Link:
https://www.unpac.me/results/b8993544-d571-4430-8c84-1338f1f8890e/
SH256 hash:
01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102
MD5 hash:
cc5fcae70f636b3ffa04811e2a6153f7
SHA1 hash:
3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f
Link:
https://www.unpac.me/results/b8993544-d571-4430-8c84-1338f1f8890e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternityStealer

Executable exe 01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2434491/
Cape
Cape
https://www.capesandbox.com/analysis/338967/

Comments


Avatar
zbet commented on 2022-11-27 07:22:21 UTC

url : hxxp://167.88.170.23/w993.exe