MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cded3354fbcfaad7112c599b3622680a632e601602ea4f5faa07a6bcc8cbeaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternityStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cded3354fbcfaad7112c599b3622680a632e601602ea4f5faa07a6bcc8cbeaf
SHA3-384 hash: 85ff0d60644abfe53acba24f77e3338555d8e34845bee20e01c6dee87f2ba040927980861e9ca62a57854340398b8117
SHA1 hash: 742c9021f4f0fb264c32a59a66e3ac514b8e166b
MD5 hash: dafc8e7ccd381af36f19267a2a9b3f9b
humanhash: nuts-fix-juliet-bravo
File name:lbcr.exe
Download: download sample
Signature EternityStealer
Create hunting rule
File size:355'328 bytes
First seen:2023-01-20 03:42:20 UTC
Last seen:2023-01-26 05:34:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:58CS6KWJ0XJWcPZ1PiqbeiS8XDMs9HHCUA:KC9IgWrPiN0YEHHFA
TLSH T1EF747E2E9B49CFC3F4CC5DF2465201B253FFA85A285E436E8E5175B668523C216DB08F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8b4e0d0d0e2ec70 (5 x RedLineStealer, 1 x EternityStealer, 1 x Stealc)
Reporter r3dbU7z
Tags:EternityStealer exe Ransomware

Intelligence

File Origin
# of uploads :
4
# of downloads :
585
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lbcr.exe
Verdict:
Malicious activity
Analysis date:
2023-01-20 03:44:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9983bf88-ccc4-47e2-b408-c47c9e9053e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354816/
Detection(s):
SecuriteInfo.com.FileRepMalware.23772.20009.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Launching a service
Changing a file
Reading critical registry keys
Modifying an executable file
Creating a window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Enabling autorun with the shell\open\command registry branches
Stealing user critical data
Creating a file in the mass storage device
Enabling autorun by creating a file
Encrypting user's files
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63ca0dc72b351a3d0ea7004b/reports/3e6536c0-99a7-4534-8a86-ffa386889aaf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Eternity Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1979e60b-a06f-4c0f-838d-0812a47e2c94
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1155267
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Deletes shadow drive data (may be related to ransomware)
Disables the Windows task manager (taskmgr)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sets file extension default program settings to executables
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787999 Sample: lbcr.exe Startdate: 20/01/2023 Architecture: WINDOWS Score: 100 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Machine Learning detection for sample 2->77 79 Deletes shadow drive data (may be related to ransomware) 2->79 11 lbcr.exe 3 2->11         started        15 lbcr.exe 2 2->15         started        process3 file4 61 C:\Users\user\AppData\Local\...\lbcr.exe.log, ASCII 11->61 dropped 89 Self deletion via cmd or bat file 11->89 91 Injects a PE file into a foreign processes 11->91 17 lbcr.exe 1 4 11->17         started        21 lbcr.exe 15->21         started        signatures5 process6 file7 57 C:\Users\user\AppData\Local\...\lbcr.exe, PE32 17->57 dropped 59 C:\Users\user\...\lbcr.exe:Zone.Identifier, ASCII 17->59 dropped 81 Self deletion via cmd or bat file 17->81 23 cmd.exe 1 17->23         started        26 cmd.exe 21->26         started        signatures8 process9 signatures10 83 Deletes shadow drive data (may be related to ransomware) 23->83 85 Uses schtasks.exe or at.exe to add and modify task schedules 23->85 87 Uses ping.exe to check the status of other devices and networks 23->87 28 lbcr.exe 2 23->28         started        31 PING.EXE 1 23->31         started        34 conhost.exe 23->34         started        42 2 other processes 23->42 36 conhost.exe 26->36         started        38 chcp.com 26->38         started        40 vssadmin.exe 26->40         started        process11 dnsIp12 93 Antivirus detection for dropped file 28->93 95 Multi AV Scanner detection for dropped file 28->95 97 Machine Learning detection for dropped file 28->97 99 Injects a PE file into a foreign processes 28->99 44 lbcr.exe 4 3 28->44         started        69 127.0.0.1 unknown unknown 31->69 signatures13 process14 file15 63 C:\Users\user\Desktop\...\HMPPSXQPQV.jpg, data 44->63 dropped 65 C:\Users\user\Desktop\...\VWDFPKGDUF.pdf, data 44->65 dropped 67 C:\Users\user\Desktop\LFOPODGVOH.docx, data 44->67 dropped 101 Sets file extension default program settings to executables 44->101 103 Modifies existing user documents (likely ransomware behavior) 44->103 105 Disables the Windows task manager (taskmgr) 44->105 48 cmd.exe 1 44->48         started        signatures16 process17 signatures18 71 Deletes shadow drive data (may be related to ransomware) 48->71 51 conhost.exe 48->51         started        53 chcp.com 1 48->53         started        55 vssadmin.exe 48->55         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cded3354fbcfaad7112c599b3622680a632e601602ea4f5faa07a6bcc8cbeaf/
Threat name:
ByteCode-MSIL.Trojan.RealProtectPENGSD
Create hunting rule
Status:
Malicious
First seen:
2023-01-20 02:24:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=htpngnkpxt5k24isywm3gyrgqctdfzqbmaxkj5p2ub5gxtemx2xq._file
Verdict:
malicious
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity evasion ransomware
Link:
https://tria.ge/reports/230120-d9xfmsfb89/
Behaviour
Creates scheduled task(s)
Interacts with shadow copies
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Checks computer location settings
Loads dropped DLL
Disables Task Manager via registry modification
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Eternity
Unpacked files
SH256 hash:
f4d626fdb9bbb2fecaf4eba2f03db99875c1410beffa641adbf741132e1a6c2f
MD5 hash:
adc58a2e5e4ee12e37210bb1ce44e92a
SHA1 hash:
1f88297c23d085b4c9fa8491c3769b66ac75b28e
Link:
https://www.unpac.me/results/1f55c456-78ac-486e-9c41-00f557fe21d5/
SH256 hash:
0969a83bebe9c8fe7814f87df887700ae3a6d7cd29a5dd0572ffe66e3561d49c
MD5 hash:
9072f96a1f6127bae66fd3bce1b7ca70
SHA1 hash:
bec7d2d562ef7d748f3abbf82fd34adaab48b31c
Link:
https://www.unpac.me/results/1f55c456-78ac-486e-9c41-00f557fe21d5/
SH256 hash:
3cded3354fbcfaad7112c599b3622680a632e601602ea4f5faa07a6bcc8cbeaf
MD5 hash:
dafc8e7ccd381af36f19267a2a9b3f9b
SHA1 hash:
742c9021f4f0fb264c32a59a66e3ac514b8e166b
Link:
https://www.unpac.me/results/1f55c456-78ac-486e-9c41-00f557fe21d5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3cded3354fbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cded3354fbcfaad7112c599b3622680a632e601602ea4f5faa07a6bcc8cbeaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_Eternity
Create hunting rule
Author:0xToxin
Description:Eternity function routines

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternityStealer

Executable exe 3cded3354fbcfaad7112c599b3622680a632e601602ea4f5faa07a6bcc8cbeaf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2512347/
Cape
Cape
https://www.capesandbox.com/analysis/354816/
  
URLhaus
https://urlhaus.abuse.ch/url/2513160/

Comments