MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46304a058536faf4eb1f49b67b6f4571f12921ae147e110813525639d1c8a878. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternityStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46304a058536faf4eb1f49b67b6f4571f12921ae147e110813525639d1c8a878
SHA3-384 hash: a917a878339d6ed88f0eb978c2b7de3a942ddb9646a55684c3d663f63007cbf9d4dfdf1251cd6b5792fe432d720413df
SHA1 hash: 5eee2643abcc2a3c388e456da96ea28d62ef504d
MD5 hash: 3133a2d3553f6058630f503bf2a7a862
humanhash: mars-comet-ceiling-uniform
File name:3133a2d3553f6058630f503bf2a7a862.exe
Download: download sample
Signature EternityStealer
Create hunting rule
File size:2'505'216 bytes
First seen:2023-03-29 19:08:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:QsHEkCiuD+moCQZhHUWYfo11q33dRGyRt7:bG1QZWo11q3FRF
TLSH T1ABC50121529EBF7FF03DAD3BC0643F4052B4EB152A02896D7D964A9CFD228955F4232B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:EternityStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3133a2d3553f6058630f503bf2a7a862.exe
Verdict:
Malicious activity
Analysis date:
2023-03-29 19:13:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7fe4b8b6-f37a-473f-bdfa-5757f5a5c111

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378587/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64248cd04fbb909ff92e5721/reports/e0582d26-6dfa-490a-8087-63d6d55877a2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/46304a058536faf4eb1f49b67b6f4571f12921ae147e110813525639d1c8a878
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab2c5c1d-c819-4f04-b8ac-8f14f8b8e695
Result
Threat name:
DarkTortilla, Eternity Worm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1204620
Signature
Antivirus detection for URL or domain
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Schedule binary from dotnet directory
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected DarkTortilla Crypter
Yara detected Eternity Worm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 837542 Sample: QHUUJAuZkH.exe Startdate: 29/03/2023 Architecture: WINDOWS Score: 100 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Sigma detected: Schedule binary from dotnet directory 2->52 54 6 other signatures 2->54 9 QHUUJAuZkH.exe 3 2->9         started        13 InstallUtil.exe 3 2->13         started        15 InstallUtil.exe 3 2->15         started        17 InstallUtil.exe 3 2->17         started        process3 file4 44 C:\Users\user\AppData\...\QHUUJAuZkH.exe.log, ASCII 9->44 dropped 56 Writes to foreign memory regions 9->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->58 60 Injects a PE file into a foreign processes 9->60 19 InstallUtil.exe 4 9->19         started        22 conhost.exe 13->22         started        24 conhost.exe 15->24         started        26 conhost.exe 17->26         started        signatures5 process6 file7 42 C:\Users\user\AppData\...\InstallUtil.exe, PE32 19->42 dropped 28 cmd.exe 1 19->28         started        process8 signatures9 62 Uses schtasks.exe or at.exe to add and modify task schedules 28->62 64 Uses ping.exe to check the status of other devices and networks 28->64 31 PING.EXE 1 28->31         started        34 InstallUtil.exe 3 28->34         started        36 conhost.exe 28->36         started        38 2 other processes 28->38 process10 dnsIp11 46 127.0.0.1 unknown unknown 31->46 40 conhost.exe 34->40         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46304a058536faf4eb1f49b67b6f4571f12921ae147e110813525639d1c8a878/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-03-29 11:17:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
97
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iyyeubmfg35pj2y7jg3hw32fohyssinocr7bccatkjldtuoivb4a._file
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity worm
Link:
https://tria.ge/reports/230329-xtsmasbc2y/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Eternity
Malware Config
C2 Extraction:
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Unpacked files
SH256 hash:
46304a058536faf4eb1f49b67b6f4571f12921ae147e110813525639d1c8a878
MD5 hash:
3133a2d3553f6058630f503bf2a7a862
SHA1 hash:
5eee2643abcc2a3c388e456da96ea28d62ef504d
Link:
https://www.unpac.me/results/d3913e30-4483-4123-995e-06ae6ce5e869/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/46304a058536/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/46304a058536faf4eb1f49b67b6f4571f12921ae147e110813525639d1c8a878

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternityStealer

Executable exe 46304a058536faf4eb1f49b67b6f4571f12921ae147e110813525639d1c8a878

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2536806/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/378587/

Comments