MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternalRocks


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e
SHA3-384 hash: 4b018e82a09d633bf32f01eb682f1c1188de4a82f43f2cdb03b158634e0a7b78b44e87d9bfec787724223ac5f0191337
SHA1 hash: 54e4f96c00f1073fc18f7db7d6c3d6fe820d1a7d
MD5 hash: be1a38232acbb1f5294d2d72f45a79a2
humanhash: nineteen-nine-south-earth
File name:CrashRpt1403.dll
Download: download sample
Signature EternalRocks
Create hunting rule
File size:9'682'944 bytes
First seen:2025-12-10 20:11:36 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 196608:u7ujFb57j4HBR8k1NmfXaSem6e2MfEdNWuP:Nv4Twf7ktr
Threatray 8 similar samples on MalwareBazaar
TLSH T130A67B10A8C86607FD7ADFBC999E72500F7AB5952901BB398F4149D93ED2B58C8039F3
TrID 88.1% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.9% (.EXE) Win64 Executable (generic) (10522/11/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
0.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter aachum
Tags:78-40-193-126 ACRStealer dll dropped-by-RenPyLoader


Avatar
iamaachum
https://file506703.host23y.cfd/ => https://www.mediafire.com/file/hpp2sl1cbryaeq6/Free+Download+Files.zip/file

ACRStealer C2: 78.40.193.126

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44224/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6939d421a675b653bd0fe047
Tags:
virus micro msil
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt obfuscated packed
Link:
https://www.filescan.io/uploads/6939d41d1eac7b9b76a48402/reports/1dc58dc6-4946-4dd4-8ee2-8588e4cd527d/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e
Verdict:
Clean
File Type:
executable.pe.32.dll
First seen:
2025-12-10T11:20:00Z UTC
Last seen:
2025-12-10T17:41:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2c80dd84-6dfa-4c14-a5b3-96c5e0078198
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1830558
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1830558 Sample: CrashRpt1403.dll Startdate: 10/12/2025 Architecture: WINDOWS Score: 92 42 Multi AV Scanner detection for submitted file 2->42 44 .NET source code contains potential unpacker 2->44 46 Unusual module load detection (module proxying) 2->46 48 Joe Sandbox ML detected suspicious sample 2->48 9 loaddll32.exe 1 2->9         started        process3 process4 11 rundll32.exe 3 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 2 9->16         started        18 23 other processes 9->18 signatures5 64 Writes to foreign memory regions 11->64 66 Allocates memory in foreign processes 11->66 68 Injects a PE file into a foreign processes 11->68 20 InstallUtil.exe 11->20         started        23 rundll32.exe 2 14->23         started        process6 signatures7 50 Tries to harvest and steal browser information (history, passwords, etc) 20->50 52 Modifies the context of a thread in another process (thread injection) 20->52 54 Tries to steal Crypto Currency Wallets 20->54 62 2 other signatures 20->62 25 chrome.exe 20->25         started        27 chrome.exe 20->27         started        29 chrome.exe 20->29         started        56 Writes to foreign memory regions 23->56 58 Allocates memory in foreign processes 23->58 60 Injects a PE file into a foreign processes 23->60 31 InstallUtil.exe 23->31         started        34 InstallUtil.exe 23->34         started        process8 signatures9 70 Tries to harvest and steal browser information (history, passwords, etc) 31->70 72 Writes to foreign memory regions 31->72 74 Allocates memory in foreign processes 31->74 76 3 other signatures 31->76 36 chrome.exe 31->36         started        38 chrome.exe 31->38         started        40 chrome.exe 31->40         started        process10
Score:
51%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.53 Win 32 Exe x86
Link:
https://app.malva.re/file/be1a38232acbb1f5294d2d72f45a79a2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e/
Verdict:
Malicious
Threat:
VHO:Trojan.Win32.Sdum
Link:
https://tip.neiki.dev/file/edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 20:12:17 UTC
File Type:
PE (.Net Dll)
Extracted files:
3
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5w3sodxupjrqevxjmo33jeh4faboxnx6tgwfual5guya4ed4gmpa._file
Verdict:
malicious
Label(s):
amaterastealer
Create hunting rule
Similar samples:
ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc
EternalRocks
dd86a3e996b53b952e35477b7980929b1c43c42efec0eadc618115a22ffb86dc
EternalRocks
edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e
EternalRocks
error
EternalRocks
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/251210-yyx81sdq2y/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e
MD5 hash:
be1a38232acbb1f5294d2d72f45a79a2
SHA1 hash:
54e4f96c00f1073fc18f7db7d6c3d6fe820d1a7d
Link:
https://www.unpac.me/results/e158b8ff-5c2c-4ba6-840e-b58cc8802953/
SH256 hash:
c1f75650fff103d24c28ee297791b06fa94d9be9d2bbf2950c11286935608dc7
MD5 hash:
24c822a925294441b53c0606e582634b
SHA1 hash:
88336acf420cb42eff65516eebb7ab145062c755
Detections:
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/e158b8ff-5c2c-4ba6-840e-b58cc8802953/
SH256 hash:
2209931809a1a9f2158f3408da77b7cb55cef92ffd69090c6d125db42e4e7022
MD5 hash:
c3d3c8ebd7c4fb5250564e54a85e6f2d
SHA1 hash:
a21e25bc9c9b2b1d31bc2ccfc9ac50dc98309922
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e158b8ff-5c2c-4ba6-840e-b58cc8802953/
Parent samples :
b126af50b8713b37e4c1c6c0ee88aa5eba5f0047f10f9ee1f351385f26e6629f
5f43b0ad8cdf49434c552629330efc2e02e9f10444200cec44cc81b061e25398
659c31a6b26b23e18ea9d81e986f91ab3dd489e149d7dc8bc11b6364d1412a23
dd86a3e996b53b952e35477b7980929b1c43c42efec0eadc618115a22ffb86dc
edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e
ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc
8ea57e02b096d8f2b8c23234ba29dba7fcd61ea4388b89234084252d59d14c26
04ced453d7e0681c6da073ddc5172c8976885af3afd3be8abb46008ea0a08dbf
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternalRocks

zip 602194d715d24147d57cd58cdbd6e7fafce9ca198398f7c2e2e22f3a00216763

EternalRocks

DLL dll edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e

(this sample)

EternalRocks

DLL dll ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc

  
Link
https://tria.ge/251210-yn6sea1mcp/behavioral1
  
Dropped by
SHA256 602194d715d24147d57cd58cdbd6e7fafce9ca198398f7c2e2e22f3a00216763
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/44224/
  
Dropping
SHA256 ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc
  
Dropping
MD5 5e0463e90e1b2925662d69b79dd704a5
  
Dropped by
MD5 bb044fa7c38c6bc1c246026a8002516a

Comments