MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternityStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7
SHA3-384 hash: 0aaf34d2415131a50155f5587fd5cb50c9c838f1be716c6eb98861611e531fa349f867d6c73f558bb589897c7bdbc406
SHA1 hash: 7c36d57af94f2dd16a62c09356b4ef2c63e456fd
MD5 hash: 2f8df206ba700503dbebf59e937af0ec
humanhash: neptune-angel-thirteen-west
File name:2f8df206ba700503dbebf59e937af0ec
Download: download sample
Signature EternityStealer
Create hunting rule
File size:1'138'176 bytes
First seen:2022-11-18 06:38:12 UTC
Last seen:2022-11-18 08:56:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 15e5ac4e63af04f3034d99698484adf1 (2 x EternityStealer, 1 x RedLineStealer)
ssdeep 24576:+JqzI2HEUvWMJsbHsoO0YTyllU3OWuA5aRn:+JrbG70Y4WFZ8Rn
TLSH T1B435F16AF7C2513BE845F2780A5381B5B6B7E8509E202F637522EA1F2D72087DC5707E
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8e0749556565338e (1 x Formbook, 1 x EternityStealer)
Reporter zbetcheckin
Tags:32 EternityStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2f8df206ba700503dbebf59e937af0ec
Verdict:
Malicious activity
Analysis date:
2022-11-18 06:39:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/248b8694-697e-471b-979f-b6d2ff2af495

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335667/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.31107.7481.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Creating a file
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Changing a file
Creating a process from a recently created file
Searching for the window
Forced shutdown of a system process
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6377288707c3f5e84a01bde1/reports/3a68c0e4-ef65-4237-9709-71cfaf3d35bd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Eternity Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab317861-78e1-4691-8a9d-1035688219d6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1116350
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Schedule binary from dotnet directory
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 749056 Sample: QHSgso4hXH.exe Startdate: 18/11/2022 Architecture: WINDOWS Score: 88 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Sigma detected: Schedule binary from dotnet directory 2->56 58 Machine Learning detection for sample 2->58 9 QHSgso4hXH.exe 13 2->9         started        13 ngentask.exe 1 2->13         started        15 ngentask.exe 1 2->15         started        17 ngentask.exe 1 2->17         started        process3 dnsIp4 44 imarket-eg.com 160.153.50.70, 443, 49702 AS-26496-GO-DADDY-COM-LLCUS United States 9->44 46 www.imarket-eg.com 9->46 48 vxsljuxgekdpuv.307xvytdn0 9->48 60 Writes to foreign memory regions 9->60 62 Allocates memory in foreign processes 9->62 64 Injects a PE file into a foreign processes 9->64 19 ngentask.exe 4 9->19         started        22 conhost.exe 13->22         started        24 conhost.exe 15->24         started        26 conhost.exe 17->26         started        signatures5 process6 file7 42 C:\Users\user\AppData\Local\...\ngentask.exe, PE32 19->42 dropped 28 cmd.exe 1 19->28         started        process8 signatures9 66 Uses schtasks.exe or at.exe to add and modify task schedules 28->66 68 Uses ping.exe to check the status of other devices and networks 28->68 31 PING.EXE 1 28->31         started        34 ngentask.exe 2 28->34         started        36 conhost.exe 28->36         started        38 2 other processes 28->38 process10 dnsIp11 50 127.0.0.1 unknown unknown 31->50 40 conhost.exe 34->40         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7/
Threat name:
Win32.Trojan.SelfDel
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 06:39:10 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=noyvmtwkredr5xm4ik4ejano2xz7lkwm5w4pmhlpxcjlp4el3stq._file
Verdict:
malicious
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity
Link:
https://tria.ge/reports/221118-hel4mscf7z/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Eternity
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fbd9d8ab-9798-4983-a088-a7734af197a1
Unpacked files
SH256 hash:
0dcae25277b73bbecbe6f0d83071038bde2fca0c4994d473f9ba4e318602e3fd
MD5 hash:
2153b7e91eb1fb0eeb6612468f3347e7
SHA1 hash:
e2deff2e673648838f6f787d1759724b39b18693
Link:
https://www.unpac.me/results/a17d486a-0f04-4c12-8cd8-8cde20f42f8f/
SH256 hash:
6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7
MD5 hash:
2f8df206ba700503dbebf59e937af0ec
SHA1 hash:
7c36d57af94f2dd16a62c09356b4ef2c63e456fd
Link:
https://www.unpac.me/results/a17d486a-0f04-4c12-8cd8-8cde20f42f8f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6bb1564eca89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternityStealer

Executable exe 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2425352/
Cape
Cape
https://www.capesandbox.com/analysis/335667/

Comments


Avatar
zbet commented on 2022-11-18 06:38:18 UTC

url : hxxp://193.218.201.246/web2.exe