MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternityStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350
SHA3-384 hash: 79bad97e5114a6abe9cb14deac4acd7b1219d9f6c9e82df52d7568c832027e5e629ef66ee27cadd0ca05110ccafd9a35
SHA1 hash: 3fd10817472a083f311357dec8da57c2faebdaaa
MD5 hash: a7a196d624419f968ec6d42380a87305
humanhash: michigan-avocado-early-quiet
File name:a7a196d624419f968ec6d42380a87305
Download: download sample
Signature EternityStealer
Create hunting rule
File size:3'081'424 bytes
First seen:2022-11-18 06:23:18 UTC
Last seen:2022-11-18 07:45:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 15e5ac4e63af04f3034d99698484adf1 (2 x EternityStealer, 1 x RedLineStealer)
ssdeep 49152:wKr5kr23HrjKjF6eKWubuKjiH3bVgGIR50nlUnd0MSw4ZmUtn3YFs:r02bGjF6vb9jqbdI3EUdPMh3Y
TLSH T181E59017AE0E1C89FD98FD391A8A69902B265F44AF5F579F33499957D2BE303036C032
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 55c4c4d8ccd4d04d (1 x EternityStealer)
Reporter zbetcheckin
Tags:32 EternityStealer exe signed

Code Signing Certificate

Organisation:*.bayt.com
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-27T08:21:35Z
Valid to:2023-06-28T11:01:00Z
Serial number: 5b0b4cd67fa76978
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 93c571e70b78cb3d4d9b563584995c5b939a56fad64658cd5322bfe07bbe5a80
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a7a196d624419f968ec6d42380a87305
Verdict:
No threats detected
Analysis date:
2022-11-18 06:24:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f698c9f-e4d1-491a-995d-1571a3869c24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335653/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.11032.6390.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Сreating synchronization primitives
Creating a file
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Changing a file
Creating a process from a recently created file
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6377250507c3f5e84a01bd68/reports/2a94f849-c980-4684-a313-2db71b8ef083/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Tandem Espionage
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89b5e126-5cfb-42a8-9e86-74758fb5966f
Result
Threat name:
Eternity Worm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1116320
Signature
Allocates memory in foreign processes
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Schedule binary from dotnet directory
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Eternity Worm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 749029 Sample: CBaNASmPwf.exe Startdate: 18/11/2022 Architecture: WINDOWS Score: 96 44 Multi AV Scanner detection for submitted file 2->44 46 Sigma detected: Schedule binary from dotnet directory 2->46 48 Yara detected Eternity Worm 2->48 50 3 other signatures 2->50 9 CBaNASmPwf.exe 13 2->9         started        13 ngentask.exe 1 2->13         started        process3 dnsIp4 38 imarket-eg.com 160.153.50.70, 443, 49697 AS-26496-GO-DADDY-COM-LLCUS United States 9->38 40 www.imarket-eg.com 9->40 42 vw9q8uzembvj0iq8k.yvxkdlkx 9->42 56 Writes to foreign memory regions 9->56 58 Allocates memory in foreign processes 9->58 60 Injects a PE file into a foreign processes 9->60 15 ngentask.exe 4 9->15         started        18 conhost.exe 13->18         started        signatures5 process6 file7 34 C:\Users\user\AppData\Local\...\ngentask.exe, PE32 15->34 dropped 20 cmd.exe 1 15->20         started        process8 signatures9 52 Uses schtasks.exe or at.exe to add and modify task schedules 20->52 54 Uses ping.exe to check the status of other devices and networks 20->54 23 PING.EXE 1 20->23         started        26 ngentask.exe 2 20->26         started        28 conhost.exe 20->28         started        30 2 other processes 20->30 process10 dnsIp11 36 127.0.0.1 unknown unknown 23->36 32 conhost.exe 26->32         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 06:24:18 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bdmhqgtrrxytnnjyhqli65sjdcxxdbjiih5ya74cpaol37vb4nia._file
Verdict:
malicious
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity
Link:
https://tria.ge/reports/221118-g5224scf5x/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Eternity
Malware Config
C2 Extraction:
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/76973f7f-b61d-49c5-8a6e-52120d708a47
Unpacked files
SH256 hash:
f6607febc99df2f6b164a27832b9cf5d53f44c2dd6c8515781f03f93b4430342
MD5 hash:
67e8636d2a420bbabb19f5f3574a5bd2
SHA1 hash:
fa187441e6007c2dda37323e2ef99b03e2a5e724
Link:
https://www.unpac.me/results/dab0b0fe-8fdf-4bcf-9495-d2506936dab2/
SH256 hash:
08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350
MD5 hash:
a7a196d624419f968ec6d42380a87305
SHA1 hash:
3fd10817472a083f311357dec8da57c2faebdaaa
Link:
https://www.unpac.me/results/dab0b0fe-8fdf-4bcf-9495-d2506936dab2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08d8781a718d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternityStealer

Executable exe 08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2425291/
Cape
Cape
https://www.capesandbox.com/analysis/335653/

Comments


Avatar
zbet commented on 2022-11-18 06:23:31 UTC

url : hxxp://193.218.201.246/1.exe