MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternityStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454
SHA3-384 hash: 526c0261e5d35479518f6c085b59555c45669aa75dfa279c44b6b5ce41d2521a7cc239b4162d7d979ea1e2244205f1d8
SHA1 hash: 36797395bb85f08ac5cf7eacb81c8d9ce78b3701
MD5 hash: 141fab15a9ee48b8caadd462553dbff3
humanhash: social-william-lithium-king
File name:141fab15a9ee48b8caadd462553dbff3
Download: download sample
Signature EternityStealer
Create hunting rule
File size:2'166'784 bytes
First seen:2023-05-18 18:07:48 UTC
Last seen:2023-05-20 14:48:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'647 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 49152:KFMqbjBFzfnVMDpUFvPnA4UCV1a56xd/BOEZb8v/:4M2NVfVMDpUFvmczxB4A
Threatray 281 similar samples on MalwareBazaar
TLSH T112A5AD7C4AB50AF7C037DBE097C58897B94F6D33F00B5A678192435DC26BA7124EA42E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 EternityStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
53ec1849f7b2812a726ce27134ba1c06.exe
Verdict:
Malicious activity
Analysis date:
2023-05-18 17:31:42 UTC
Tags:
loader smoke trojan stealer rat redline
Link:
https://app.any.run/tasks/2e889f49-8582-49ca-b765-3fdc7570cf54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.15421.31746.27763.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Running batch commands
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/646669835859d5b6044c0c9a/reports/4be7c5be-25a2-4c6f-b0c5-5c9dfba66373/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce264a0c-a204-4200-a081-bfa1154ac749
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1236225
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869228 Sample: JvyAzJR90t.exe Startdate: 18/05/2023 Architecture: WINDOWS Score: 100 100 Multi AV Scanner detection for domain / URL 2->100 102 Antivirus detection for URL or domain 2->102 104 Sigma detected: Scheduled temp file as task from temp location 2->104 106 7 other signatures 2->106 10 JvyAzJR90t.exe 6 2->10         started        14 SRLHjykjP.exe 5 2->14         started        16 JvyAzJR90t.exe 2->16         started        19 SRLHjykjP.exe 2->19         started        process3 dnsIp4 90 C:\Users\user\AppData\Roaming\SRLHjykjP.exe, PE32 10->90 dropped 92 C:\Users\user\AppData\Local\...\tmp9BD7.tmp, XML 10->92 dropped 94 C:\Users\user\AppData\...\JvyAzJR90t.exe.log, ASCII 10->94 dropped 118 Self deletion via cmd or bat file 10->118 120 Uses schtasks.exe or at.exe to add and modify task schedules 10->120 122 Injects a PE file into a foreign processes 10->122 21 JvyAzJR90t.exe 4 10->21         started        25 schtasks.exe 1 10->25         started        124 Multi AV Scanner detection for dropped file 14->124 126 Machine Learning detection for dropped file 14->126 27 SRLHjykjP.exe 14->27         started        29 schtasks.exe 14->29         started        31 SRLHjykjP.exe 14->31         started        96 192.168.2.1 unknown unknown 16->96 33 schtasks.exe 16->33         started        39 3 other processes 16->39 35 schtasks.exe 19->35         started        37 SRLHjykjP.exe 19->37         started        file5 signatures6 process7 file8 84 C:\Users\user\AppData\...\JvyAzJR90t.exe, PE32 21->84 dropped 86 C:\Users\...\JvyAzJR90t.exe:Zone.Identifier, ASCII 21->86 dropped 108 Self deletion via cmd or bat file 21->108 41 cmd.exe 1 21->41         started        44 conhost.exe 25->44         started        88 C:\Users\user\AppData\Local\...\SRLHjykjP.exe, PE32 27->88 dropped 46 cmd.exe 27->46         started        48 conhost.exe 29->48         started        50 conhost.exe 33->50         started        52 conhost.exe 35->52         started        signatures9 process10 signatures11 116 Uses ping.exe to check the status of other devices and networks 41->116 54 JvyAzJR90t.exe 4 41->54         started        57 PING.EXE 1 41->57         started        60 conhost.exe 41->60         started        68 2 other processes 41->68 62 SRLHjykjP.exe 46->62         started        64 conhost.exe 46->64         started        66 chcp.com 46->66         started        70 2 other processes 46->70 process12 dnsIp13 110 Multi AV Scanner detection for dropped file 54->110 112 Machine Learning detection for dropped file 54->112 114 Injects a PE file into a foreign processes 54->114 72 schtasks.exe 54->72         started        74 JvyAzJR90t.exe 54->74         started        98 127.0.0.1 unknown unknown 57->98 76 schtasks.exe 62->76         started        78 SRLHjykjP.exe 62->78         started        signatures14 process15 process16 80 conhost.exe 72->80         started        82 conhost.exe 76->82         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454/
Threat name:
ByteCode-MSIL.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-18 18:08:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4x5i5gez5dkwcskffi2py26gwzv5tsgwtiy43mp36wuq5hnwurka._file
Verdict:
malicious
Similar samples:
040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
EternityStealer
0ca246e6325bfa1bd4aa4f743a259d4c3553a316a44665a5a21d5d5132b893c0
EternityStealer
0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
EternityStealer
22c4a9d47db8cf8183a9b91032c08e9592f37aa4e64a97e3059339698fc0e415
EternityStealer
22d7e40c7ecc7fabf7f7b562e2d476dd0697e0f0482ce646de7771b44c29b1e9
EternityStealer
3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5
EternityStealer
4c0241cc1e92aa8ca713ae65cd6b86eb29cacbad2f0799068361eaa3f1dec75a
EternityStealer
7a5870c5e7f9253deca223afcbf295a99ad0cc014543b26e162e56ad2f22a36e
EternityStealer
9d5670638fac6e9e5670cd6985894e9b2fcf1fb334973e5e3424fb246f835e11
EternityStealer
c29ac11a91f5f0d9af18e4c5845abb6e024fe682e1287e76ccd6efc218240269
EternityStealer
+ 271 additional samples on MalwareBazaar
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity
Link:
https://tria.ge/reports/230518-wqv3ksdc63/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Eternity
Unpacked files
SH256 hash:
084e0cc2f7f21c82d8591bff89bf0d19e54fa3a6f9d8f4c78e2ff0cdc14ce4eb
MD5 hash:
405f5eb6453f66e478a5f4c168616bfe
SHA1 hash:
c7f6f50f4d2a7fb6c4e07cad0781607ef45acb78
Link:
https://www.unpac.me/results/9f9ab54b-faea-4177-82b7-a6fd165cf003/
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/9f9ab54b-faea-4177-82b7-a6fd165cf003/
SH256 hash:
ac2dc311d6b7df3ac5aa318a57a05970ef0b0ff040eac66dca1b28e70db13e60
MD5 hash:
97792daef8b801b552bd6992f232b752
SHA1 hash:
24d5a6eb56e6ab81145aa40ef7e19bdb80249467
Link:
https://www.unpac.me/results/9f9ab54b-faea-4177-82b7-a6fd165cf003/
SH256 hash:
0582348e44f48579ba7d724a44d9d76576628e3be43ff4e745eed3e844df7502
MD5 hash:
7db41e24eb09851a03f5793b06439ad6
SHA1 hash:
af652ad14f6ee3043647aae2e7db311c9f3a4b23
Link:
https://www.unpac.me/results/9f9ab54b-faea-4177-82b7-a6fd165cf003/
SH256 hash:
e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454
MD5 hash:
141fab15a9ee48b8caadd462553dbff3
SHA1 hash:
36797395bb85f08ac5cf7eacb81c8d9ce78b3701
Link:
https://www.unpac.me/results/9f9ab54b-faea-4177-82b7-a6fd165cf003/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternityStealer

Executable exe e5fa8e9899e8d56149452a34fc6bc6b66bd9c8d69a31cdb1fbf5a90e9db6a454

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2536806/

Comments


Avatar
zbet commented on 2023-05-18 18:07:55 UTC

url : hxxp://167.88.170.23/swo/sw.exe