MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5959c9591f5b18624cfe65dfe25191a4ff4bb017c9952b6d3ae6723adfae04f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternalRocks


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5959c9591f5b18624cfe65dfe25191a4ff4bb017c9952b6d3ae6723adfae04f
SHA3-384 hash: af9fa7c8003d3356d9bf9bbee0d829031d4294344a176442c0254e280db16d726a4f4e672b883ce4a486a2c4c062d799
SHA1 hash: f9cc03fb33beaf16c61c6cbdc912175f18c1caaf
MD5 hash: 971e552dfbad4e009516c598deabdf8a
humanhash: lion-mexico-ack-september
File name:small1.msi
Download: download sample
Signature EternalRocks
Create hunting rule
File size:1'785'856 bytes
First seen:2026-03-20 15:20:08 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:k1gn6jzdCcWbfdY9TKtsE+2T/wsJp95ldJ:kTdQbu9T2F0sJpf
TLSH T11B85332776BD4675D128A736AFE68E7D48B45D05020B1B4373F6F32876B24A8BC4B318
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:EternalRocks msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/fa83ba34-8433-4267-b51b-83f7274b5bde/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58333/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bd65bf88c80c01586c75fb
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer
Link:
https://www.filescan.io/uploads/69bd65b8493cb7d62d09244c/reports/d4f442c1-de11-4ba2-bfe9-c0573c04cd63/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b5959c9591f5b18624cfe65dfe25191a4ff4bb017c9952b6d3ae6723adfae04f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b5959c9591f5b18624cfe65dfe25191a4ff4bb017c9952b6d3ae6723adfae04f
Verdict:
Clean
File Type:
msi
Link:
https://opentip.kaspersky.com/b5959c9591f5b18624cfe65dfe25191a4ff4bb017c9952b6d3ae6723adfae04f/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1886954
Signature
Command shell drops VBS files
Found Tor onion address
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886954 Sample: small1.msi Startdate: 20/03/2026 Architecture: WINDOWS Score: 100 57 k8s-ingressn-bscmainn-92244380d0-811109128.us-east-1.elb.amazonaws.com 2->57 59 www.themealdb.com 2->59 61 97 other IPs or domains 2->61 71 Suricata IDS alerts for network traffic 2->71 73 Sigma detected: WScript or CScript Dropper 2->73 75 Joe Sandbox ML detected suspicious sample 2->75 77 2 other signatures 2->77 11 explorer.exe 5 2->11         started        13 msiexec.exe 77 37 2->13         started        17 msiexec.exe 3 2->17         started        signatures3 process4 file5 19 wscript.exe 1 11->19         started        53 C:\Users\user\AppData\...\taskhost_9eca.bat, ASCII 13->53 dropped 55 C:\Users\user\AppData\...\conhost_4b23.vbs, ASCII 13->55 dropped 115 Injects code into the Windows Explorer (explorer.exe) 13->115 22 explorer.exe 1 13->22         started        signatures6 process7 signatures8 79 Wscript starts Powershell (via cmd or directly) 19->79 81 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->81 83 Suspicious execution chain found 19->83 85 WScript reads language and country specific registry keys (likely country aware script) 19->85 24 cmd.exe 2 19->24         started        process9 file10 51 C:\Users\user\AppData\...\ec38e417633.vbs, ASCII 24->51 dropped 95 Suspicious powershell command line found 24->95 97 Wscript starts Powershell (via cmd or directly) 24->97 99 Uses ping.exe to sleep 24->99 101 4 other signatures 24->101 28 wscript.exe 1 24->28         started        31 PING.EXE 1 24->31         started        34 conhost.exe 24->34         started        36 4 other processes 24->36 signatures11 process12 dnsIp13 111 Wscript starts Powershell (via cmd or directly) 28->111 113 WScript reads language and country specific registry keys (likely country aware script) 28->113 38 cmd.exe 1 28->38         started        69 127.0.0.1 unknown unknown 31->69 signatures14 process15 signatures16 87 Suspicious powershell command line found 38->87 89 Wscript starts Powershell (via cmd or directly) 38->89 91 Uses ping.exe to sleep 38->91 93 Uses cmd line tools excessively to alter registry or file data 38->93 41 powershell.exe 22 32 38->41         started        45 conhost.exe 38->45         started        47 reg.exe 1 38->47         started        49 3 other processes 38->49 process17 dnsIp18 63 k8s-ingressn-bscmainn-92244380d0-811109128.us-east-1.elb.amazonaws.com 98.95.75.167 TWC-11351-NORTHEASTUS United States 41->63 65 dyna.wikimedia.org 208.80.154.224 WIKIMEDIAUS United States 41->65 67 73 other IPs or domains 41->67 103 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 41->103 105 Found Tor onion address 41->105 107 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->107 109 Hides threads from debuggers 41->109 signatures19
Score:
85%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/b5959c9591f5b18624cfe65dfe25191a4ff4bb017c9952b6d3ae6723adfae04f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5959c9591f5b18624cfe65dfe25191a4ff4bb017c9952b6d3ae6723adfae04f/
Verdict:
Malicious
Threat:
Family.DEERSTEALER
Link:
https://tip.neiki.dev/file/b5959c9591f5b18624cfe65dfe25191a4ff4bb017c9952b6d3ae6723adfae04f
Threat name:
Script.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-03-20 09:57:31 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
1 of 24 (4.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwkzzfmr6wyymjgp4zo74jizdjh7joybpsmvfnwtvztshlp24bhq._file
Verdict:
malicious
Label(s):
covenantc2
Create hunting rule
Similar samples:
error
EternalRocks
Result
Malware family:
deerstealer
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer discovery execution persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/260320-sqylxsay7n/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Drops startup file
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
DeerStealer
Deerstealer family
Detects DeerStealer
Malware family:
DeerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5959c9591f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/58333/

Comments