MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34d7b7acc83bbe98199dc274c2987bfc3bbceca10af15d48e94b1109010f51a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternityStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34d7b7acc83bbe98199dc274c2987bfc3bbceca10af15d48e94b1109010f51a0
SHA3-384 hash: 7997abbb26b5c5d52967017ecf8fea02a0068556845c652f2d890bb7f5d7cc2bbf7064191d7b929aa00aa05991abc8d7
SHA1 hash: cdf7083616f4f8bef30b1bc67d19b0037b6c8846
MD5 hash: a4ccb401ae3dbc14d1685733213711d2
humanhash: crazy-violet-ceiling-finch
File name:a4ccb401ae3dbc14d1685733213711d2.exe
Download: download sample
Signature EternityStealer
Create hunting rule
File size:182'784 bytes
First seen:2022-09-25 07:07:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:JpOzm0fcadeI25kvhOtDnCb5/OKsDjRCiiMuJ9HKb0zpMqxAEE4zYYUj:JK3eIVmzCkRbuTHKRD
Threatray 17 similar samples on MalwareBazaar
TLSH T111040284FBD05C5BD91297B44BE7E31C7378DA060FBBCF1B241891FA6C623A05E265A4
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00868ecccce8cc50 (2 x EternityStealer, 1 x AsyncRAT)
Reporter abuse_ch
Tags:EternityStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313111/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.14469.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Running batch commands
Launching the process to change network settings
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/632ffe9026a88abc7d25ff3a/reports/6d8fdaea-65ec-4bb2-9d75-3293cf5c2c67/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3e566ce4-2007-4c34-87cb-7be26c2ad825
Result
Threat name:
Eternity Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1076782
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected Eternity Stealer
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 709324 Sample: N3gA1d2efb.exe Startdate: 25/09/2022 Architecture: WINDOWS Score: 100 53 t.me 2->53 55 pastebin.com 2->55 61 Snort IDS alert for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 10 other signatures 2->67 9 N3gA1d2efb.exe 16 7 2->9         started        14 Thfqedb.exe 14 2 2->14         started        16 Thfqedb.exe 2 2->16         started        signatures3 process4 dnsIp5 59 85.192.63.240, 49694, 49698, 49700 LINEGROUP-ASRU Russian Federation 9->59 47 C:\Users\user\AppData\Roaming\...\Thfqedb.exe, PE32 9->47 dropped 49 C:\Users\user\...\Thfqedb.exe:Zone.Identifier, ASCII 9->49 dropped 51 C:\Users\user\AppData\...513gA1d2efb.exe.log, ASCII 9->51 dropped 81 May check the online IP address of the machine 9->81 83 Encrypted powershell cmdline option found 9->83 85 Tries to harvest and steal WLAN passwords 9->85 89 2 other signatures 9->89 18 N3gA1d2efb.exe 1 3 9->18         started        22 powershell.exe 14 9->22         started        87 Machine Learning detection for dropped file 14->87 file6 signatures7 process8 dnsIp9 57 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 18->57 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->69 71 Tries to steal Mail credentials (via file / registry access) 18->71 73 Tries to harvest and steal browser information (history, passwords, etc) 18->73 75 2 other signatures 18->75 24 cmd.exe 1 18->24         started        27 cmd.exe 18->27         started        29 conhost.exe 22->29         started        signatures10 process11 signatures12 77 Uses netsh to modify the Windows network and firewall settings 24->77 79 Tries to harvest and steal WLAN passwords 24->79 31 netsh.exe 3 24->31         started        33 conhost.exe 24->33         started        35 chcp.com 1 24->35         started        37 findstr.exe 24->37         started        39 conhost.exe 27->39         started        41 chcp.com 27->41         started        43 netsh.exe 27->43         started        45 findstr.exe 27->45         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34d7b7acc83bbe98199dc274c2987bfc3bbceca10af15d48e94b1109010f51a0/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-09-25 07:08:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gtl3plgiho7jqgm5yj2mfgd37q53z3fbblyv2shjjmiqsaipkgqa._file
Verdict:
malicious
Similar samples:
29da83e8eb9f92a0d5b28f2b20a12e1c317022aac908b88e67cbb1f159252f95
EternityStealer
41e282a6b34497e1d91e16e6ce75c1c2411ba8c050d4cd44f075e556192a45a0
EternityStealer
5bd0413417385740c8e5a03c51900a7ad5673e17b459333c74024385b6ca688a
EternityStealer
87d55703f23f068bfb656f3a108f22940a0f946c6f98316dc96cb331ba1a4346
EternityStealer
92814edb0e2968d50983f19400b15610c405a3e5ec3af096597f2daa6f2a5142
EternityStealer
94c64f12afd02a13f709021efe6a3676f92ee6ea68ea91b67e476ba603c0b79b
EternityStealer
96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5
EternityStealer
a528ba093c83d0a15628447345e460b0b9311646a564d676bdd8d7765455a665
EternityStealer
acbc5e7367f627f945f99b9b6e5b3debe0ab53bd62474f2c8e59564e2883217f
EternityStealer
+ 7 additional samples on MalwareBazaar
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity collection persistence spyware stealer
Link:
https://tria.ge/reports/220925-hx74tsfabl/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Eternity
Malware Config
C2 Extraction:
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2af2115f-3587-434c-8469-9eddf0c95e76
Unpacked files
SH256 hash:
34d7b7acc83bbe98199dc274c2987bfc3bbceca10af15d48e94b1109010f51a0
MD5 hash:
a4ccb401ae3dbc14d1685733213711d2
SHA1 hash:
cdf7083616f4f8bef30b1bc67d19b0037b6c8846
Link:
https://www.unpac.me/results/4b050b38-a213-4ea8-bec4-b6a478a643cf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/34d7b7acc83b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/34d7b7acc83bbe98199dc274c2987bfc3bbceca10af15d48e94b1109010f51a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternityStealer

Executable exe 34d7b7acc83bbe98199dc274c2987bfc3bbceca10af15d48e94b1109010f51a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2313322/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/313111/

Comments