MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37a886a40a122580e20971a7523cf43b6bc6b658bb12c76e05dec21b1a547ee1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternityStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37a886a40a122580e20971a7523cf43b6bc6b658bb12c76e05dec21b1a547ee1
SHA3-384 hash: 2afe608221d2fce25a06689cbe0bffb4c54c6fcb3887cc84fa8851885867cd968bbfa0b064fdae258b5275e5acdd4177
SHA1 hash: f17395dcdfbe678c5ce20c72312cf356d66b1b9d
MD5 hash: 7ac8fb8e5e5f7b08b3c81f4d5f40c162
humanhash: ack-nineteen-fifteen-stairway
File name:7ac8fb8e5e5f7b08b3c81f4d5f40c162.exe
Download: download sample
Signature EternityStealer
Create hunting rule
File size:2'502'144 bytes
First seen:2023-04-04 05:49:53 UTC
Last seen:2023-04-04 06:36:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:VhgymR6xMhEp6SKDdtX0PdV8MF9uy1lO010ty:VhgFRXegDvosMF9uF
Threatray 95 similar samples on MalwareBazaar
TLSH T13AC5E1397BAB9612D1BDDE32C9F69410A3F184077222E92F7EDE02C50613B9E18C759D
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:EternityStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7ac8fb8e5e5f7b08b3c81f4d5f40c162.exe
Verdict:
Malicious activity
Analysis date:
2023-04-04 05:59:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8ff2c691-4c3b-4551-acaf-fde4cbb0b3c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379891/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15717.29831.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
packed
Link:
https://www.filescan.io/uploads/642bba8f05c72da113b360be/reports/2beb4289-0a94-40ef-a83a-f107b8945fed/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/37a886a40a122580e20971a7523cf43b6bc6b658bb12c76e05dec21b1a547ee1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c97ea44-2ea0-496e-a7e9-174f33e584ed
Result
Threat name:
Eternity Worm, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207736
Signature
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Eternity Worm
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 840653 Sample: kb1lK0ZBcl.exe Startdate: 04/04/2023 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for domain / URL 2->64 66 Antivirus detection for URL or domain 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 9 other signatures 2->70 11 kb1lK0ZBcl.exe 3 2->11         started        15 kb1lK0ZBcl.exe 2 2->15         started        process3 file4 56 C:\Users\user\AppData\...\kb1lK0ZBcl.exe.log, ASCII 11->56 dropped 92 Self deletion via cmd or bat file 11->92 94 Injects a PE file into a foreign processes 11->94 17 kb1lK0ZBcl.exe 4 11->17         started        21 kb1lK0ZBcl.exe 11->21         started        signatures5 process6 file7 48 C:\Users\user\AppData\...\kb1lK0ZBcl.exe, PE32 17->48 dropped 50 C:\Users\...\kb1lK0ZBcl.exe:Zone.Identifier, ASCII 17->50 dropped 72 Self deletion via cmd or bat file 17->72 23 cmd.exe 1 17->23         started        signatures8 process9 signatures10 74 Uses schtasks.exe or at.exe to add and modify task schedules 23->74 76 Uses ping.exe to check the status of other devices and networks 23->76 26 kb1lK0ZBcl.exe 2 23->26         started        29 PING.EXE 1 23->29         started        32 conhost.exe 23->32         started        34 2 other processes 23->34 process11 dnsIp12 84 Multi AV Scanner detection for dropped file 26->84 86 Machine Learning detection for dropped file 26->86 36 kb1lK0ZBcl.exe 15 7 26->36         started        60 127.0.0.1 unknown unknown 29->60 62 192.168.2.1 unknown unknown 29->62 signatures13 process14 dnsIp15 58 167.88.170.23, 49696, 80 PONYNETUS United States 36->58 52 C:\Users\user\AppData\Local\Temp\swo.exe, PE32 36->52 dropped 54 C:\Users\user\AppData\Local\Temp\sw.exe, PE32 36->54 dropped 40 swo.exe 36->40         started        file16 process17 signatures18 78 Multi AV Scanner detection for dropped file 40->78 80 Machine Learning detection for dropped file 40->80 82 Injects a PE file into a foreign processes 40->82 43 swo.exe 40->43         started        46 swo.exe 40->46         started        process19 signatures20 88 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->88 90 Checks if the current machine is a virtual machine (disk enumeration) 43->90
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37a886a40a122580e20971a7523cf43b6bc6b658bb12c76e05dec21b1a547ee1/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-04-04 05:50:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g6uinjakcisybyqjogtvephuhnv4nnsyxmjmo3qf33bbwgsup3qq._file
Verdict:
malicious
Similar samples:
22d7e40c7ecc7fabf7f7b562e2d476dd0697e0f0482ce646de7771b44c29b1e9
EternityStealer
50ae1cc086fc3faeeb453c5923097b9328b63bbe19ed9f9c226bbb1b49a1917d
EternityStealer
595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b
EternityStealer
67014237713d167e0676ed58d8aa095cbfef04cbc834c0dc512fd5c3df6285ea
EternityStealer
7a07dcc4ffcebbc11c2120d8fe342565e0dcbb11d76bbf43b1f0c7f04ee8fe91
EternityStealer
b3b2dc3be1936fdb02be2e420f7264bbe124f8e98e4c9a52b4793106bb283f73
EternityStealer
c1147a4f1f5430a49b73a9c0d7c86f5b47f6040eea6fa7e62f1fabbc54d65ef8
EternityStealer
d7a78307889ab55af6a1475ef731eaf1b19524601e093220afa3830707ff4810
EternityStealer
e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0
EternityStealer
+ 85 additional samples on MalwareBazaar
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity worm
Link:
https://tria.ge/reports/230404-gjls1adb95/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Eternity
Malware Config
C2 Extraction:
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Unpacked files
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/4909da14-8ff3-449e-99d9-cae062adece3/
SH256 hash:
e537fe59c4a427ebb1033f30eec96a00f636e17152af982233412b983c2bdbb1
MD5 hash:
cfb35b5ee36a5bf7bf742cc71bfa83f8
SHA1 hash:
3fab9c9bcc7eb2b782fee100acd2d79522abf5ca
Link:
https://www.unpac.me/results/4909da14-8ff3-449e-99d9-cae062adece3/
SH256 hash:
d3aa234b34c660401e8dd3dde0f3916dbb90268785e47327320c03f9038ced86
MD5 hash:
2b258cd71c7359a780588a97f08b6afe
SHA1 hash:
39cf8a2721569c402df4f675fb47563539823e83
Link:
https://www.unpac.me/results/4909da14-8ff3-449e-99d9-cae062adece3/
SH256 hash:
9858ef56845f2ac0a5257ed64398e5bccde47f237998bd835711e2a3e4d1e362
MD5 hash:
8ce86a3f4e5fe7aee6b83c4652b5b2f6
SHA1 hash:
12c7e07b87eea05b808c040fd8f7de52b94a687f
Link:
https://www.unpac.me/results/4909da14-8ff3-449e-99d9-cae062adece3/
SH256 hash:
cb2c0ef3bf0c930ed398f3bc6347da9ef9048b609a232a89cfa781454be77306
MD5 hash:
1fb341c4a04da4aa42ea906971d366f3
SHA1 hash:
c73ce7725a57a6b08de417204ee26a9706d140d8
Link:
https://www.unpac.me/results/4909da14-8ff3-449e-99d9-cae062adece3/
SH256 hash:
37a886a40a122580e20971a7523cf43b6bc6b658bb12c76e05dec21b1a547ee1
MD5 hash:
7ac8fb8e5e5f7b08b3c81f4d5f40c162
SHA1 hash:
f17395dcdfbe678c5ce20c72312cf356d66b1b9d
Link:
https://www.unpac.me/results/4909da14-8ff3-449e-99d9-cae062adece3/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/37a886a40a12/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37a886a40a122580e20971a7523cf43b6bc6b658bb12c76e05dec21b1a547ee1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternityStealer

Executable exe 37a886a40a122580e20971a7523cf43b6bc6b658bb12c76e05dec21b1a547ee1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/379891/
  
URLhaus
https://urlhaus.abuse.ch/url/2536806/
  
Delivery method
Distributed via web download

Comments