MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd2bf6b3faa6756b3a3dc161e3529eed27d70a98f69e05c493ee8ca2bccc1201. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Eternity


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd2bf6b3faa6756b3a3dc161e3529eed27d70a98f69e05c493ee8ca2bccc1201
SHA3-384 hash: 24ce95d60572167a094bf647015d976f7c6266788e139bfb3e4eeb6a807a68a58924267f2717ca2f46a8d1c747f52db5
SHA1 hash: 79be9cffa82c48dd600fe994d040a5b11373b587
MD5 hash: 4ffc12082c606220256f9f750f98d572
humanhash: triple-ink-snake-december
File name:5200.exe
Download: download sample
Signature Eternity
Create hunting rule
File size:92'160 bytes
First seen:2022-10-19 03:12:09 UTC
Last seen:2022-10-19 17:05:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:37fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfewhfYOS:r7DhdC6kzWypvaQ0FxyNTBfeSu
Threatray 2'976 similar samples on MalwareBazaar
TLSH T1CB937D41F3E202F7EAF1053100A6726F973663389764A8EBC74C2D529913AD5A63D3F9
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter r3dbU7z
Tags:Eternity exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5200.exe
Verdict:
Suspicious activity
Analysis date:
2022-10-19 06:03:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/06ebb351-6805-4d47-a126-643463859456

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321559/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Forced system process termination
Launching a process
Sending an HTTP GET request
Creating a file
Using the Windows Management Instrumentation requests
Modifying a system executable file
Launching cmd.exe command interpreter
Sending a custom TCP request
Launching a tool to kill processes
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43749/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nitol packed shell32.dll snojan
Link:
https://www.filescan.io/uploads/634f6b3e66721ebd9b2f24c7/reports/8b1bdbe7-14f7-4365-8e5c-de46b1b0fb1a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a8bf1f1c-80cf-499f-b664-ee65482e8fa6
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1093171
Signature
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725793 Sample: 5200.exe Startdate: 19/10/2022 Architecture: WINDOWS Score: 96 99 Snort IDS alert for network traffic 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 Yara detected Babadeda 2->103 105 4 other signatures 2->105 13 5200.exe 8 2->13         started        process3 process4 15 cmd.exe 1 13->15         started        18 conhost.exe 13->18         started        signatures5 111 Drops script or batch files to the startup folder 15->111 113 Uses cmd line tools excessively to alter registry or file data 15->113 115 Drops PE files to the startup folder 15->115 20 5200.exe 8 15->20         started        process6 process7 22 cmd.exe 3 20->22         started        25 conhost.exe 20->25         started        file8 95 C:\Users\user\AppData\Roaming\...\part1.bat, ASCII 22->95 dropped 27 cmd.exe 22->27         started        29 cmd.exe 22->29         started        31 cmd.exe 22->31         started        33 11 other processes 22->33 process9 dnsIp10 36 cmd.exe 27->36         started        40 conhost.exe 27->40         started        42 cmd.exe 29->42         started        44 conhost.exe 29->44         started        46 cmd.exe 31->46         started        48 conhost.exe 31->48         started        97 111.90.151.174, 49715, 49716, 49717 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 33->97 50 cmd.exe 1 33->50         started        52 cmd.exe 33->52         started        54 5 other processes 33->54 process11 file12 93 C:\Users\user\AppData\...\Ransomware.exe, PE32 36->93 dropped 107 Uses cmd line tools excessively to alter registry or file data 36->107 56 cmd.exe 36->56         started        63 6 other processes 36->63 65 7 other processes 42->65 59 cmd.exe 46->59         started        67 5 other processes 46->67 61 cmd.exe 1 50->61         started        69 6 other processes 50->69 71 5 other processes 52->71 73 4 other processes 54->73 signatures13 process14 signatures15 75 reg.exe 1 56->75         started        109 Uses cmd line tools excessively to alter registry or file data 59->109 77 reg.exe 59->77         started        79 reg.exe 1 61->79         started        81 reg.exe 1 65->81         started        83 Conhost.exe 65->83         started        85 Conhost.exe 67->85         started        87 reg.exe 71->87         started        89 reg.exe 73->89         started        process16 process17 91 Conhost.exe 77->91         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd2bf6b3faa6756b3a3dc161e3529eed27d70a98f69e05c493ee8ca2bccc1201/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-19 03:26:30 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zuv7nm72uz2wwor5yfq6guu65ut5ocuy62palret52gkfpgmciaq._file
Verdict:
unknown
Similar samples:
2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371
Eternity
275e4c659edeeb5dd650b29253f72c8e95b7556e465253fabf8264d76abb2f02
Eternity
49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4
Eternity
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
Eternity
54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3
Eternity
58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1
Eternity
882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b
Eternity
9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66
Eternity
cebf1665279b1ce695f105bfe9710012793c5dce9e06b53b778d66eeb553c5ab
Eternity
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
Eternity
+ 2'966 additional samples on MalwareBazaar
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity evasion ransomware trojan
Link:
https://tria.ge/reports/221019-dqqtrafahk/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies Control Panel
Modifies registry class
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Sets desktop wallpaper using registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Modifies extensions of user files
Eternity
Modifies Windows Defender Real-time Protection settings
Modifies security service
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7b4cb967-a0ba-40cb-b9e5-0fd8562427a1
Unpacked files
SH256 hash:
ed2ec45f556f27ee31f9a5e9cfa9ab6848e977bb402fd787c307264b72b77303
MD5 hash:
34a6e1031a566f37d1e140d533851c9c
SHA1 hash:
d08d88889639c2779427044204b7eff8f4701e81
Link:
https://www.unpac.me/results/88f955fb-c0fe-4fa3-8719-5179a73cf9c8/
SH256 hash:
0b93d2324a3e084055cef38a393ae9bb0b612be84326f5e2e4c43fa26fc4e259
MD5 hash:
f735b19c4a16583c1ff0ee2de6a99028
SHA1 hash:
cf12a4a49079a2599d3122e86aa25367b6f246f5
Link:
https://www.unpac.me/results/88f955fb-c0fe-4fa3-8719-5179a73cf9c8/
SH256 hash:
a3b17d86d0d67bd936e1208d39ad703c673ca3f2b45b35fa02dbc5fba67d213b
MD5 hash:
d531561cf9f6adcafa411f73a29bb79e
SHA1 hash:
36c56c7fb0c651644ea7f49d5770e4b5ff3b5f47
Link:
https://www.unpac.me/results/88f955fb-c0fe-4fa3-8719-5179a73cf9c8/
SH256 hash:
3c11b494c44fc6b9fd04363867ac64de7a8faaf268dd5ea8b9711dba59243322
MD5 hash:
b9a66e955fdb4b8b4e15491e7112cca6
SHA1 hash:
3620ed3e05713065d03c0ae5241ebb8481031031
Link:
https://www.unpac.me/results/88f955fb-c0fe-4fa3-8719-5179a73cf9c8/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/88f955fb-c0fe-4fa3-8719-5179a73cf9c8/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/88f955fb-c0fe-4fa3-8719-5179a73cf9c8/
SH256 hash:
cd2bf6b3faa6756b3a3dc161e3529eed27d70a98f69e05c493ee8ca2bccc1201
MD5 hash:
4ffc12082c606220256f9f750f98d572
SHA1 hash:
79be9cffa82c48dd600fe994d040a5b11373b587
Link:
https://www.unpac.me/results/88f955fb-c0fe-4fa3-8719-5179a73cf9c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd2bf6b3faa6756b3a3dc161e3529eed27d70a98f69e05c493ee8ca2bccc1201

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Eternity

Executable exe cd2bf6b3faa6756b3a3dc161e3529eed27d70a98f69e05c493ee8ca2bccc1201

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/321559/
  
URLhaus
https://urlhaus.abuse.ch/url/2378104/

Comments