MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23f09d9012c25fbba5f04b0648379e4c8a42ce2a2c30beffe4532b712907e1ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternityStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23f09d9012c25fbba5f04b0648379e4c8a42ce2a2c30beffe4532b712907e1ef
SHA3-384 hash: f6ae9a1fcbddd27d017dadace2fd1331fe95a06ee7820c97126248d37031f037abd3a6525fb5f674b05463baffd863d7
SHA1 hash: 8a410c54db44221acbb341815d49109594b50300
MD5 hash: a68ccf819e65e63c220113ba45c1a13b
humanhash: vegan-quebec-kilo-sodium
File name:a68ccf819e65e63c220113ba45c1a13b.exe
Download: download sample
Signature EternityStealer
Create hunting rule
File size:2'532'352 bytes
First seen:2023-04-05 13:13:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:HfUxAfB9iuK++moKnfNIGQaK83uHU/uYfo11qis3s4b+6GIAANEN2tXL6Y3TEhi2:DLiuD+moCQZhHUWYfo11q33dRGyRt7
Threatray 87 similar samples on MalwareBazaar
TLSH T181C50190849ABFE9F0381CBBC7A0B70153E8F72B2207D79D6E8D055DE858DD56B29213
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:EternityStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a68ccf819e65e63c220113ba45c1a13b.exe
Verdict:
Malicious activity
Analysis date:
2023-04-05 13:15:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/271da3ac-03c9-41bd-a440-8cfc87cd3df8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380319/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.23297.22305.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/642d74202f938d3b4e06107e/reports/0588a9a6-88a7-4853-a07b-3ab7b76c54a0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/23f09d9012c25fbba5f04b0648379e4c8a42ce2a2c30beffe4532b712907e1ef
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8d55f9f-44a9-4e45-b6d0-49c81f6d4c57
Result
Threat name:
DarkTortilla, Eternity Worm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209113
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Schedule binary from dotnet directory
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected DarkTortilla Crypter
Yara detected Eternity Worm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842028 Sample: sIr3VbBoLU.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 9 sIr3VbBoLU.exe 2 2->9         started        12 InstallUtil.exe 3 2->12         started        process3 signatures4 56 Writes to foreign memory regions 9->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->58 60 Injects a PE file into a foreign processes 9->60 14 InstallUtil.exe 4 9->14         started        18 WerFault.exe 24 9 9->18         started        20 conhost.exe 12->20         started        process5 dnsIp6 42 192.168.2.1 unknown unknown 14->42 36 C:\Users\user\AppData\...\InstallUtil.exe, PE32 14->36 dropped 22 cmd.exe 1 14->22         started        38 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->38 dropped file7 process8 signatures9 52 Uses schtasks.exe or at.exe to add and modify task schedules 22->52 54 Uses ping.exe to check the status of other devices and networks 22->54 25 PING.EXE 1 22->25         started        28 InstallUtil.exe 3 22->28         started        30 conhost.exe 22->30         started        32 2 other processes 22->32 process10 dnsIp11 40 127.0.0.1 unknown unknown 25->40 34 conhost.exe 28->34         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23f09d9012c25fbba5f04b0648379e4c8a42ce2a2c30beffe4532b712907e1ef/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 08:29:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
97
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=epyj3easyjp3xjpqjmdeqn46jsfeftrkfqyl577ekmvxckih4hxq._file
Verdict:
malicious
Similar samples:
069ed36bdd5046201359415dab896f99f2e5adb89eb54c2e652786e0ccd79330
EternityStealer
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce
EternityStealer
3deb90aba1fd4484ac6b29a7e1bbbc65237d3c7abd3344edd8a94d1db6f213bc
EternityStealer
46304a058536faf4eb1f49b67b6f4571f12921ae147e110813525639d1c8a878
EternityStealer
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038
EternityStealer
5d5ba4fa49441043304c8ef33dd2237d3c1e1272ef520e3c32eb936859984b15
EternityStealer
7b3eed5a83ba7d77cf91e87d1d200d0211fa8e3c9eaa557996ba9487023b28d3
EternityStealer
ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87
EternityStealer
e72ba123ab2230b92c80767c89f37989b3e342b6afb61d638c4ae92192cb744f
EternityStealer
+ 77 additional samples on MalwareBazaar
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity worm
Link:
https://tria.ge/reports/230405-qgndgsgh2t/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Eternity
Malware Config
C2 Extraction:
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Unpacked files
SH256 hash:
23f09d9012c25fbba5f04b0648379e4c8a42ce2a2c30beffe4532b712907e1ef
MD5 hash:
a68ccf819e65e63c220113ba45c1a13b
SHA1 hash:
8a410c54db44221acbb341815d49109594b50300
Link:
https://www.unpac.me/results/6ac65dad-8085-426b-bbc5-195b16930197/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/23f09d9012c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23f09d9012c25fbba5f04b0648379e4c8a42ce2a2c30beffe4532b712907e1ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternityStealer

Executable exe 23f09d9012c25fbba5f04b0648379e4c8a42ce2a2c30beffe4532b712907e1ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2536806/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/380319/

Comments