MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e79c501ec0282d7dd54b3c9da23489858726eee953b391d2e3f9f40044ce4e2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternityStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e79c501ec0282d7dd54b3c9da23489858726eee953b391d2e3f9f40044ce4e2e
SHA3-384 hash: 7efc409b073cee8ff7dff1ea171384a0b9e6e9ccbc2b0deb93c27a285f641a997cc315162fbd76ddf8c48ae779102140
SHA1 hash: 949c34a65a802cb2b7f1bbb66ba8841582d6d255
MD5 hash: fe54e102040b7108826fda1eba1a50b1
humanhash: mississippi-orange-angel-alpha
File name:fe54e102040b7108826fda1eba1a50b1.exe
Download: download sample
Signature EternityStealer
Create hunting rule
File size:721'152 bytes
First seen:2022-05-20 05:11:32 UTC
Last seen:2022-05-20 05:50:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 3072:8ahKyd2n3115GWp1icKAArDZz4N9GhbkrNEk6gHSkbBv8ciHFkDk:8ahOVp0yN90QEoS6ulck
TLSH T12CE4E1C673949053DC675A704EA383CA1B29FCD1BE30719B3365F72E0A39AD26D29706
TrID 83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:EternityStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fe54e102040b7108826fda1eba1a50b1.exe
Verdict:
No threats detected
Analysis date:
2022-05-20 05:14:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14384b16-342a-4490-9ed8-86dc345eac41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272812/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.49040455.20743.18175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19095/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll control.exe explorer.exe overlay packed rundll32.exe setupapi.dll shell32.dll wacatac
Link:
https://www.filescan.io/uploads/62872365206e081618345990/reports/f6767db7-1e91-40ec-a8d7-497d8ff1c062/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca8ed077-13d4-4a39-9b61-770861a4be1d
Result
Threat name:
AgentTesla, Eternity Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998231
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found Tor onion address
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses TOR for connection hidding
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Eternity Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 630727 Sample: w5eSg7fi2n.exe Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for domain / URL 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 7 other signatures 2->74 9 w5eSg7fi2n.exe 1 3 2->9         started        12 rundll32.exe 2->12         started        process3 file4 54 C:\Users\user\...\Installer_ovl_res_sig.exe, PE32 9->54 dropped 14 Installer_ovl_res_sig.exe 15 4 9->14         started        process5 dnsIp6 62 cdn.discordapp.com 162.159.134.233, 443, 49763 CLOUDFLARENETUS United States 14->62 64 tiny.one 188.114.96.10, 443, 49762 CLOUDFLARENETUS European Union 14->64 90 Antivirus detection for dropped file 14->90 92 Multi AV Scanner detection for dropped file 14->92 94 Writes to foreign memory regions 14->94 96 2 other signatures 14->96 18 InstallUtil.exe 15 4 14->18         started        22 cmd.exe 1 14->22         started        signatures7 process8 dnsIp9 56 lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion.pet 198.251.89.118, 49829, 80 PONYNETUS United States 18->56 58 ip-api.com 208.95.112.1, 49808, 80 TUT-ASUS United States 18->58 60 192.168.2.1 unknown unknown 18->60 76 May check the online IP address of the machine 18->76 78 Tries to harvest and steal browser information (history, passwords, etc) 18->78 80 Tries to harvest and steal WLAN passwords 18->80 82 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 18->82 24 cmd.exe 1 18->24         started        27 cmd.exe 1 18->27         started        29 cmd.exe 1 18->29         started        84 Uses ping.exe to check the status of other devices and networks 22->84 86 Uses netsh to modify the Windows network and firewall settings 22->86 31 conhost.exe 22->31         started        33 timeout.exe 1 22->33         started        signatures10 process11 signatures12 88 Tries to harvest and steal WLAN passwords 24->88 35 netsh.exe 3 24->35         started        37 conhost.exe 24->37         started        39 findstr.exe 1 24->39         started        41 chcp.com 1 24->41         started        43 netsh.exe 3 27->43         started        45 conhost.exe 27->45         started        50 2 other processes 27->50 47 PING.EXE 29->47         started        52 2 other processes 29->52 process13 dnsIp14 66 127.0.0.1 unknown unknown 47->66
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e79c501ec0282d7dd54b3c9da23489858726eee953b391d2e3f9f40044ce4e2e/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-18 17:49:00 UTC
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=46ofahwafawx3vklhso2enejqwdsn3xjkozzduxd7h2aargojyxa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection persistence
Link:
https://tria.ge/reports/220520-fvt33seahp/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
e79c501ec0282d7dd54b3c9da23489858726eee953b391d2e3f9f40044ce4e2e
MD5 hash:
fe54e102040b7108826fda1eba1a50b1
SHA1 hash:
949c34a65a802cb2b7f1bbb66ba8841582d6d255
Link:
https://www.unpac.me/results/c6241be9-1f3a-404e-9c35-7a1c930b39e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.46
Link:
https://yomi.yoroi.company/submissions/e79c501ec0282d7dd54b3c9da23489858726eee953b391d2e3f9f40044ce4e2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_01803bc7537a1818c4ab135469963c10
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272812/

Comments