MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c12c26d5611a06a9ba3a146fa96adadef4e520f28a8e3793837bf9e82ae0f4b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

EternalRocks

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	c12c26d5611a06a9ba3a146fa96adadef4e520f28a8e3793837bf9e82ae0f4b9
SHA3-384 hash:	fb7dcd6b700cbeb40b2e975bb9e2e98b3f144f48cccdee5c0c7428b75785e36d7427b341c9cbc2a02c61ccf4b20bad0c
SHA1 hash:	48c5b9d78be2b25e3abb0d930ce133ba4bbacc3f
MD5 hash:	abe99d1442050f71efc2eca60d7f2566
humanhash:	skylark-eighteen-india-jupiter
File name:	svchost_7e95.bat
Download:	download sample
Signature	EternalRocks Create hunting rule
File size:	1'976'323 bytes
First seen:	2026-04-04 18:20:46 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	24576:7a/sfjfoPnkiEapPHlKPcVcnn1FL+tkAxourJFNri3jUHlS2JAq+pTyetuGGscbd:OfcnnQxourIS5qorTnnBuWxt
Threatray	24 similar samples on MalwareBazaar
TLSH	T1409523E161631F224B509127FDFF0F161B4D8983582C95A263C3BCAF536AF208D799E9
Magika	batch
Reporter	KnownSpotter
Tags:	bat EternalRocks

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

18ea4970eac7cc6539d211acd268c01903c5c999b2fb3381a364fd17fdb3efa9

Verdict:

Malicious activity

Analysis date:

2026-03-19 23:00:40 UTC

Tags:

generated-doc susp-powershell etherhiding evasion anti-evasion salatstealer stealer upx golang

Link:

https://app.any.run/tasks/334a2470-cb28-4153-a04e-87c805c7bbed

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/60447/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69bcd75788c80c01586c4a2a

Tags:

dropper shell sage

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Running batch commands

Launching a process

Creating a file

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a window

Creating a process with a hidden window

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cmd evasive lolbin obfuscated ping wscript

Link:

https://www.filescan.io/uploads/69d15696be4fad62665fcbe1/reports/334f8ca7-c2e7-4084-9b42-9d0c21188773/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/c12c26d5611a06a9ba3a146fa96adadef4e520f28a8e3793837bf9e82ae0f4b9

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-03-19T15:13:00Z UTC

Last seen:

2026-03-25T23:59:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/c12c26d5611a06a9ba3a146fa96adadef4e520f28a8e3793837bf9e82ae0f4b9/results?tab=lookup

Score:

86%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c12c26d5611a06a9ba3a146fa96adadef4e520f28a8e3793837bf9e82ae0f4b9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c12c26d5611a06a9ba3a146fa96adadef4e520f28a8e3793837bf9e82ae0f4b9/

Verdict:

Malicious

Threat:

Family.SALATSTEALER

Link:

https://tip.neiki.dev/file/c12c26d5611a06a9ba3a146fa96adadef4e520f28a8e3793837bf9e82ae0f4b9

Threat name:

Text.Trojan.Generic

Status:

Suspicious

First seen:

2026-03-19 20:28:43 UTC

File Type:

Text (Batch)

AV detection:

4 of 23 (17.39%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yewcnvlbdidktor2crx2s2w2332okihsrkhdpe4dpp46qkxa6s4q._file

Verdict:

malicious

Label(s):

covenantc2

EternalRocks

878140b4707782a2b7d838d11586ff4696216485e65750a145b5e13cd88b5960

EternalRocks

b1ce4ebb517a44e305e22ef9221c1b66c3e7f9327f4ae007a4e18144f4f97add

EternalRocks

b5959c9591f5b18624cfe65dfe25191a4ff4bb017c9952b6d3ae6723adfae04f

EternalRocks

b7e3ad81e77be85e826148eb7e299b7f3b918b6a06c548057a459adbbbf6ad71

EternalRocks

c9a6df0651955becb0087d00b3a4395a9fd0f26074ca117c6402a8b382fdd37e

EternalRocks

dc87e3974829f25f56a0f1a822823670e0e29b5509995726e90fafe817ed5318

EternalRocks

df2db25046baec03fde1d8e8ee145c2271dae2b3759ee26b325c54fd7d0821af

EternalRocks

+ 14 additional samples on MalwareBazaar

Result

Malware family:

salatstealer

Score:

10/10

Tags:

family:salatstealer discovery execution stealer upx

Link:

https://tria.ge/reports/260404-wzc85abt2l/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

UPX packed file

Looks up external IP address via web service

Checks computer location settings

Drops startup file

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Detect SalatStealer payload

Salatstealer family

salatstealer

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c12c26d5611a06a9ba3a146fa96adadef4e520f28a8e3793837bf9e82ae0f4b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/60447/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample