File name:

Stealer.e

Full analysis: https://app.any.run/tasks/753a3cbb-ddc1-4aa8-a060-32a8da356c7e
Verdict: Malicious activity
Analysis date: December 16, 2023, 13:12:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
eternity stealer
eternity
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

6B429A705CE4C2E7AAC7291181EB637F

SHA1:

01833A1CD5EB0BD077AB7721D514D6A8936F18AC

SHA256:

0E075F284E215362FD1BB86ED89F2EEA11C1B92E949C3D333E0FB3493EB6C9D1

SSDEEP:

3072:xCRjBPZnLtjNllllVO5sY+KKK1omVfVe11tLMXoOIeyW44LZwKsMTn46voArsqr7:xCRjNm5YKKKeftD8yWppIqrvbF3FeI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • Stealer.e.exe (PID: 1556)

    • Actions looks like stealing of personal data

      • Stealer.e.exe (PID: 1556)

    • ETERNITY has been detected (YARA)

      • Stealer.e.exe (PID: 1556)

  • SUSPICIOUS

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Stealer.e.exe (PID: 1556)

    • Reads the Internet Settings

      • Stealer.e.exe (PID: 1556)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2108)

    • Starts CMD.EXE for commands execution

      • Stealer.e.exe (PID: 1556)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 2108)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2108)

    • Reads settings of System Certificates

      • Stealer.e.exe (PID: 1556)

    • Accesses Microsoft Outlook profiles

      • Stealer.e.exe (PID: 1556)

    • Reads browser cookies

      • Stealer.e.exe (PID: 1556)

    • Checks for external IP

      • Stealer.e.exe (PID: 1556)

    • Connects to unusual port

      • Stealer.e.exe (PID: 1556)

  • INFO

    • Reads the computer name

      • Stealer.e.exe (PID: 1556)
      • wmpnscfg.exe (PID: 3452)

    • Checks supported languages

      • Stealer.e.exe (PID: 1556)
      • chcp.com (PID: 3892)
      • wmpnscfg.exe (PID: 3452)

    • Reads Environment values

      • Stealer.e.exe (PID: 1556)

    • Reads CPU info

      • Stealer.e.exe (PID: 1556)

    • Reads the machine GUID from the registry

      • Stealer.e.exe (PID: 1556)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Eternity

(PID) Process(1556) Stealer.e.exe
C2http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion
Strings (587)uk
Glory to Ukraine!
<div class="tgme_page_description" dir="auto">(.*)</div>
null
null
null
blfjqbgrdg
[Network] Report sent!
https://t.me/tor_proxies
MainStealer
8BeaG7FY2rhdeG-OnIfZ2oiZ8M91Jzgo8VSvtX13vvE
{0}/stld/{1}
484bd100329747de95cc32508aba844a
scan electrum metamask wallet phrase recover secret security code seed nft backup coin key pass .txt .doc .kdbx .rdp .pdf .loli .lolix .anom .cs .cpp .csproj
DropBox
OneDrive
cmd.exe
/C chcp 65001 &&
SELECT ExecutablePath, ProcessID FROM Win32_Process
ProcessID
ExecutablePath
SELECT CommandLine FROM Win32_Process WHERE ProcessId =
CommandLine
Username: {0} Password: {1}
http
.
:
Dm; om;"] {2j6 ZN"o;5V0NH {e`dk
Software:
Hostname:
{0} Username: {1} Password: {2}
Software:
Hostname:
=c%;O.`a/g
9s_E^DBI k
City: {0}
Information.txt
System
Gaming
FTP
VPN
Browsers
Messengers
Wallets
PasswordManagers
Grabber
data
tonlib_log.txt
db
db
Wallets
TonWallet\
lib
lib
Wallets
TonWallet\
salt
Wallets
TonWallet
salt
JaxxClassic
com.liberty.jaxx
IndexedDB
file__0.indexeddb.leveldb
JaxxLiberty
Jaxx
Local Storage
leveldb
*.l??
Wallets
atomic
Local Storage
leveldb
*.l??
Wallets
Atomic
Local Storage
leveldb
SOFTWARE\Bitcoin\Bitcoin-Qt
strDataDir
*wallet*dat
Wallets
BitcoinCore
Coinomi
Coinomi
wallets
*.wallet
Wallets
Coinomi
SOFTWARE\Dash\Dash-Qt
strDataDir
*wallet*dat
Wallets
DashcoinCore
SOFTWARE\Dogecoin\Dogecoin-Qt
strDataDir
*wallet*dat
Wallets
DogecoinCore
*Electr*
config
recently_open
Wallets
Exodus
exodus.wallet
exodus.conf.json
*.seco
Wallets
Exodus
exodus.wallet
Wallets
Exodus
Guarda
Local Storage
leveldb
*.l??
Wallets
Guarda
Local Storage
leveldb
SOFTWARE\Litecoin\Litecoin-Qt
strDataDir
*wallet*dat
Wallets
LitecoinCore
SOFTWARE\monero-project\monero-core
wallet_path
\..
*.*
Wallets
MoneroCore
WalletWasabi
Client
Wallets
*.json
Wallets
Wasabi
Zcash
*wallet*dat
Wallets
Zcash
AzireVPN
token.txt
Unable to decrypt credential
NordVPN
*.rfo
PasswordManagers
RoboForm
RoboForm
Profiles
*.conf
PasswordManagers
NordPass
NordPass
data*.json
PasswordManagers
BitWarden
Bitwarden
LastDatabases=(.*?)\n
,
PasswordManagers
KeePassXC
ConnectionInfo
Path
..\..\
PasswordManagers
KeePass2
databases
KeyFilePath
..\..\
PasswordManagers
KeePass2
keys
KeePass
KeePass.config.xml
KeePassXC
keepassxc.ini
*.sqlite
PasswordManagers
1Password
data
1Password
data
config.json
Partitions
Messengers
Rambox
config.json
Cookies
Messengers
Rambox
Cookies
Local Storage\leveldb
*.l??
Messengers
Rambox
Partitions
Local Storage
leveldb
Rambox
*.db
Messengers
Viber
ViberPC
Local Storage
leveldb
Local State
os_crypt
encrypted_key
[Discord] Discord decryption failed, {0}
*.l??
tokens.dat
bx$cX$C)$ TB+\.[a-zA-Z0-9]{6U'bx$cX$C)$ VU$TB+doxU'bx$cX$C)$ VU$TB!
dQw4w9WgXcQ:([^.*\['(.*)'\].*$][^"]*)
Discord
Discord PTB
Discord Canary
.purple
config.json
sql
db.sqlite
Messengers
Signal
config.json
Messengers
Signal
sql
db.sqlite
Signal
Telegram
tdata
Software\Classes\tdesktop.tg\DefaultIcons1
"
tdata
Telegram Desktop
tdata
*s
Messengers
Telegram
map?
Messengers
Telegram
*.l??
Messengers
WhatsApp
Local Storage
leveldb
WhatsApp
Local Storage
leveldb
Mozilla\Firefox
8pecxstudios\Cyberfox
Comodo\IceDragon
K-Meleon
Moonchild Productions\Pale Moon
NETGATE Technologies\BlackHaw
Waterfox
Mozilla\icecat
Mozilla\SeyMonkey
FlashPeak\SlimBrowser
Thunderbird
encrypted_key
SrQBeq3L{cgjHJ ^#3P\KOvOFMRv
360Browser\Browser
360Chrome\Browser
AVAST Software\Browser
7Star\7Star
Amigo\User
BraveSoftware\Brave-Browser
CatalinaGroup\Citrio
CentBrowser
BlackHawk
Chedot
Blisk
GhostBrowser
Chromodo
CocCoc\Browser
Comodo
Comodo\Dragon
Coowon\Coowon
CatalinaGroup\Citrio
Elements Browser
Epic Privacy Browser
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Google(x86)\Chrome
Google\Chrome
Google\Chrome SxS
Google\Chrome Beta
liebao\User Data
Kinza
Iridium
K-Melon
Kometa
Mail.Ru\Atom
MapleStudio\ChromePlus
Maxthon3
Microsoft\Edge
Nichrome
Opera Software\Opera GX Stable
Opera Software\Opera Stable
Orbitum
QIP Surf
Sputnik\Sputnik
Torch
Uran
Vivaldi
Yandex\YandexBrowser
liebao
uCozMedia\Uran
SalamWeb
Chromium
UCBrowser
Xpom
Xvast
SuperBird
Tencent\QQBrowser
Login Data
Cookies
Network\Cookies
Web Data
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
SSO Authenticator
nhhldecdfagpbfggphklkaeiocfnaafm
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
Bitwarden
nngceckbapebfimnlniiiahkandclblb
KeePassXC
oboonakemofpalcgghocfoadofidjkkk
Dashlane
fdjamakpfbbddfjaooikfcpapjohcfmg
1Password
aeblfdkhhhdcdjpifhhbdiojplfjncoa
NordPass
fooolghllnmhmmndgjiamiiodkpenpbb
Keeper
RoboForm
pnlccmojcmeohlpggmfnbbiapkmbliob
LastPass
hdokiejnpimakedhajhdlcegeplioahd
BrowserPass
naepdomgkenhinolocfifgehidddafch
MYKI
bmikpgodpkclnkgmnpphehdgcimmided
Splikity
jhfjfclepacoldmjmkmdlmganfaalklb
CommonKey
chgfefjpcobfbnpmiokfjjaglahmnded
Zoho Vault
igkpcodhieompeloncfnbekccinhapdb
Norton Password Manager
admmjipmmciaobhojoghlmleefbicajg
Avira Password Manager
caljgklbbfbcjjanaijlacgncafpegll
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
ibnejdfjmmkpcnlpebklmnkoeoihofec
BinanceChain
fhbohimaelbohpjbbldcngcnapndodjp
Coin98
aeachknmefphepccionboohckonoeemg
iWallet
kncchdigobghenbbaddojjnnaogfppfj
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
MEW CX
nlbmnnijcnlegkjjpcfjclmcfggfefdm
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
Terra Station
aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr
dmkamcknogkgcdfhhbddcghachkejeap
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
ICONex
flpiciilemghbmfalicajoolhkkenfel
KHC
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
Byone
nlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKey
infeboajgfhgbjpjbeppbkgnabfdkdaf
DAppPlay
lodccjjbdhfakaekdiahmedfbieldgik
BitClip
ijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychain
lkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extension
onofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Client
bcopgchhojmggmffilplmbdicgaihlkp
ZilPay
klnaejjgbibmhlephnhpmaofohgkpgkd
Leaf Wallet
cihmoadaighcejopammfbmddcmdekcje
Cyano Wallet
dkdedlpgdmmkkfjabffeganieamfklkm
Cyano Wallet Pro
icmkfkmjoklfhlfdkkkgpnpldkgdmhoe
Nabox Wallet
nknhiehlklippafakaeklbeglecifhad
Polymesh Wallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
Nifty Wallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Liquality Wallet
kpfopkelmapcoipemfendmdcghnegimn
Math Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbase Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Clover Wallet
nhnkbkgjikgcigadomkphalanndcapjk
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUAL Wallet
blnieiiffboillknjnepogjhkgnoapac
BitApp Wallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
cnmamaachppnkjgnildpdmkaakejnhae
Saturn Wallet
nkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
Bad response received from proxy server.
None of the authentication method was accepted by proxy server.
Operation completed successfully.
General SOCKS server failure.
Connection not allowed by ruleset.
Network unreachable.
Host unreachable.
Connection refused.
TTL expired.
Command not supported.
Address type not supported.
Unknown error.
https://pastebin.com/raw/
[Network] Proxy download failed, {0}
POST {0} HTTP/1.1 Host: {1} Content-Length: {2} Expect: 100-continue Connection: Keep-Alive
[Network] Tor upload failed over node {0}:{1}, message: {2}
<j{u4
]pa
&i={0}
1V]L>+
&ci={0}
&t={0}
.onion
gfA@_{>Si4=WuFC4HQnT]oXcJ dJ{lA G
[Network] All proxies offline... Using second reporting method.
127.0.0.1
[Network] Reporting to clearnet gateway
%hIpC`T
Bootstrapped 100
Tor
Tor.exe
https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true
x
SELECT Name FROM Win32_Processor
root\CIMV2
Name
Unknown CPU
SELECT Name FROM Win32_VideoController
root\CIMV2
Name
Unknown GPU
SELECT Size FROM Win32_LogicalDisk WHERE DriveType = 3
root\CIMV2
Size
Select TotalPhysicalMemory From Win32_ComputerSystem
TotalPhysicalMemory
Select Manufacturer from Win32_ComputerSystem
Manufacturer
Unknown manufacturer
Select Model from Win32_ComputerSystem
Model
Unknown model
- Eternity Stealer -
&^GgN=F]=R0F
Stub Version: {0}
Stub Location: {0}
System:
: al[BOUf[ ?'6t)
User
Admin
1!YH0YM|Ro
!)RG\JMh2p
9{ZuR=i)l
Hardware:
0JJoghg_)A
cZ[Yv=A0L'
RAMAmount: {0}Gb
QcW>0M*AO;Gb
? mKt4wY
Manufacturer: {0}
ScreenResolution: {0}
Yrw"_Q3\B: O
http://ip-api.com/json
query
{0} ({1})
country
countryCode
city
Unknown System
SELECT Name FROM Win32_OperatingSystem
root\CIMV2
Name
HARDWARE\Description\System\CentralProcessor\0
Identifier
x86
{0} ({1} bit)
Unknown
:
-
DRIVE
Grabber
.txt
Grabber
Important
(^([a-z]{3,10}( |\r|\n|\t)*){12,26}$|\d.*[a-z]{3,10}$)
Kz(Xq&O"Xi+s7TFaIfy/C|J/Q_T`xKC_t2*.ld y\Vb"|xQ(@@&CSthJVB3 )
USERPROFILE
Downloads
Stream cannot seek
Writing is not alowed
Writing is not alowed
Writing is not allowed
Central directory currently does not exist
Stream cannot be written
false
true
\\
\"
\n
\r
\t
\b
\f
\u
X4
false
true
true
null
JSON Parse: Too many closing brackets
JSON Parse: Quotation marks seems to be messed up.
:
false
true
0
eternity
algorithm
Algorithm cannot be null.
salt
Salt cannot be null.
password
Password cannot be null.
Derived key too long.
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2038:11:06 16:43:12+01:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 339456
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x54dbe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 234.234.4322.1234
ProductVersionNumber: 234.234.4322.1234
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: asdfsfw3er234
CompanyName: asdf234asdf
FileDescription: asdsdfw3423
FileVersion: 234.234.4322.1234
InternalName: Death13.exe
LegalCopyright: SFw345w5t 2222
LegalTrademarks: we2
OriginalFileName: Death13.exe
ProductName: fsad234sdaf3
ProductVersion: 234.234.4322.1234
AssemblyVersion: 1234.231.123.1234
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ETERNITY stealer.e.exe cmd.exe no specs chcp.com no specs netsh.exe no specs findstr.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1556"C:\Users\admin\Desktop\Stealer.e.exe" C:\Users\admin\Desktop\Stealer.e.exe
explorer.exe
User:
admin
Company:
asdf234asdf
Integrity Level:
MEDIUM
Description:
asdsdfw3423
Exit code:
0
Version:
234.234.4322.1234
Modules
Images
c:\users\admin\desktop\stealer.e.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Eternity
(PID) Process(1556) Stealer.e.exe
C2http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion
Strings (587)uk
Glory to Ukraine!
<div class="tgme_page_description" dir="auto">(.*)</div>
null
null
null
blfjqbgrdg
[Network] Report sent!
https://t.me/tor_proxies
MainStealer
8BeaG7FY2rhdeG-OnIfZ2oiZ8M91Jzgo8VSvtX13vvE
{0}/stld/{1}
484bd100329747de95cc32508aba844a
scan electrum metamask wallet phrase recover secret security code seed nft backup coin key pass .txt .doc .kdbx .rdp .pdf .loli .lolix .anom .cs .cpp .csproj
DropBox
OneDrive
cmd.exe
/C chcp 65001 &&
SELECT ExecutablePath, ProcessID FROM Win32_Process
ProcessID
ExecutablePath
SELECT CommandLine FROM Win32_Process WHERE ProcessId =
CommandLine
Username: {0} Password: {1}
http
.
:
Dm; om;"] {2j6 ZN"o;5V0NH {e`dk
Software:
Hostname:
{0} Username: {1} Password: {2}
Software:
Hostname:
=c%;O.`a/g
9s_E^DBI k
City: {0}
Information.txt
System
Gaming
FTP
VPN
Browsers
Messengers
Wallets
PasswordManagers
Grabber
data
tonlib_log.txt
db
db
Wallets
TonWallet\
lib
lib
Wallets
TonWallet\
salt
Wallets
TonWallet
salt
JaxxClassic
com.liberty.jaxx
IndexedDB
file__0.indexeddb.leveldb
JaxxLiberty
Jaxx
Local Storage
leveldb
*.l??
Wallets
atomic
Local Storage
leveldb
*.l??
Wallets
Atomic
Local Storage
leveldb
SOFTWARE\Bitcoin\Bitcoin-Qt
strDataDir
*wallet*dat
Wallets
BitcoinCore
Coinomi
Coinomi
wallets
*.wallet
Wallets
Coinomi
SOFTWARE\Dash\Dash-Qt
strDataDir
*wallet*dat
Wallets
DashcoinCore
SOFTWARE\Dogecoin\Dogecoin-Qt
strDataDir
*wallet*dat
Wallets
DogecoinCore
*Electr*
config
recently_open
Wallets
Exodus
exodus.wallet
exodus.conf.json
*.seco
Wallets
Exodus
exodus.wallet
Wallets
Exodus
Guarda
Local Storage
leveldb
*.l??
Wallets
Guarda
Local Storage
leveldb
SOFTWARE\Litecoin\Litecoin-Qt
strDataDir
*wallet*dat
Wallets
LitecoinCore
SOFTWARE\monero-project\monero-core
wallet_path
\..
*.*
Wallets
MoneroCore
WalletWasabi
Client
Wallets
*.json
Wallets
Wasabi
Zcash
*wallet*dat
Wallets
Zcash
AzireVPN
token.txt
Unable to decrypt credential
NordVPN
*.rfo
PasswordManagers
RoboForm
RoboForm
Profiles
*.conf
PasswordManagers
NordPass
NordPass
data*.json
PasswordManagers
BitWarden
Bitwarden
LastDatabases=(.*?)\n
,
PasswordManagers
KeePassXC
ConnectionInfo
Path
..\..\
PasswordManagers
KeePass2
databases
KeyFilePath
..\..\
PasswordManagers
KeePass2
keys
KeePass
KeePass.config.xml
KeePassXC
keepassxc.ini
*.sqlite
PasswordManagers
1Password
data
1Password
data
config.json
Partitions
Messengers
Rambox
config.json
Cookies
Messengers
Rambox
Cookies
Local Storage\leveldb
*.l??
Messengers
Rambox
Partitions
Local Storage
leveldb
Rambox
*.db
Messengers
Viber
ViberPC
Local Storage
leveldb
Local State
os_crypt
encrypted_key
[Discord] Discord decryption failed, {0}
*.l??
tokens.dat
bx$cX$C)$ TB+\.[a-zA-Z0-9]{6U'bx$cX$C)$ VU$TB+doxU'bx$cX$C)$ VU$TB!
dQw4w9WgXcQ:([^.*\['(.*)'\].*$][^"]*)
Discord
Discord PTB
Discord Canary
.purple
config.json
sql
db.sqlite
Messengers
Signal
config.json
Messengers
Signal
sql
db.sqlite
Signal
Telegram
tdata
Software\Classes\tdesktop.tg\DefaultIcons1
"
tdata
Telegram Desktop
tdata
*s
Messengers
Telegram
map?
Messengers
Telegram
*.l??
Messengers
WhatsApp
Local Storage
leveldb
WhatsApp
Local Storage
leveldb
Mozilla\Firefox
8pecxstudios\Cyberfox
Comodo\IceDragon
K-Meleon
Moonchild Productions\Pale Moon
NETGATE Technologies\BlackHaw
Waterfox
Mozilla\icecat
Mozilla\SeyMonkey
FlashPeak\SlimBrowser
Thunderbird
encrypted_key
SrQBeq3L{cgjHJ ^#3P\KOvOFMRv
360Browser\Browser
360Chrome\Browser
AVAST Software\Browser
7Star\7Star
Amigo\User
BraveSoftware\Brave-Browser
CatalinaGroup\Citrio
CentBrowser
BlackHawk
Chedot
Blisk
GhostBrowser
Chromodo
CocCoc\Browser
Comodo
Comodo\Dragon
Coowon\Coowon
CatalinaGroup\Citrio
Elements Browser
Epic Privacy Browser
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Google(x86)\Chrome
Google\Chrome
Google\Chrome SxS
Google\Chrome Beta
liebao\User Data
Kinza
Iridium
K-Melon
Kometa
Mail.Ru\Atom
MapleStudio\ChromePlus
Maxthon3
Microsoft\Edge
Nichrome
Opera Software\Opera GX Stable
Opera Software\Opera Stable
Orbitum
QIP Surf
Sputnik\Sputnik
Torch
Uran
Vivaldi
Yandex\YandexBrowser
liebao
uCozMedia\Uran
SalamWeb
Chromium
UCBrowser
Xpom
Xvast
SuperBird
Tencent\QQBrowser
Login Data
Cookies
Network\Cookies
Web Data
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
SSO Authenticator
nhhldecdfagpbfggphklkaeiocfnaafm
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
Bitwarden
nngceckbapebfimnlniiiahkandclblb
KeePassXC
oboonakemofpalcgghocfoadofidjkkk
Dashlane
fdjamakpfbbddfjaooikfcpapjohcfmg
1Password
aeblfdkhhhdcdjpifhhbdiojplfjncoa
NordPass
fooolghllnmhmmndgjiamiiodkpenpbb
Keeper
RoboForm
pnlccmojcmeohlpggmfnbbiapkmbliob
LastPass
hdokiejnpimakedhajhdlcegeplioahd
BrowserPass
naepdomgkenhinolocfifgehidddafch
MYKI
bmikpgodpkclnkgmnpphehdgcimmided
Splikity
jhfjfclepacoldmjmkmdlmganfaalklb
CommonKey
chgfefjpcobfbnpmiokfjjaglahmnded
Zoho Vault
igkpcodhieompeloncfnbekccinhapdb
Norton Password Manager
admmjipmmciaobhojoghlmleefbicajg
Avira Password Manager
caljgklbbfbcjjanaijlacgncafpegll
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
ibnejdfjmmkpcnlpebklmnkoeoihofec
BinanceChain
fhbohimaelbohpjbbldcngcnapndodjp
Coin98
aeachknmefphepccionboohckonoeemg
iWallet
kncchdigobghenbbaddojjnnaogfppfj
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
MEW CX
nlbmnnijcnlegkjjpcfjclmcfggfefdm
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
Terra Station
aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr
dmkamcknogkgcdfhhbddcghachkejeap
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
ICONex
flpiciilemghbmfalicajoolhkkenfel
KHC
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
Byone
nlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKey
infeboajgfhgbjpjbeppbkgnabfdkdaf
DAppPlay
lodccjjbdhfakaekdiahmedfbieldgik
BitClip
ijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychain
lkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extension
onofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Client
bcopgchhojmggmffilplmbdicgaihlkp
ZilPay
klnaejjgbibmhlephnhpmaofohgkpgkd
Leaf Wallet
cihmoadaighcejopammfbmddcmdekcje
Cyano Wallet
dkdedlpgdmmkkfjabffeganieamfklkm
Cyano Wallet Pro
icmkfkmjoklfhlfdkkkgpnpldkgdmhoe
Nabox Wallet
nknhiehlklippafakaeklbeglecifhad
Polymesh Wallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
Nifty Wallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Liquality Wallet
kpfopkelmapcoipemfendmdcghnegimn
Math Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbase Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Clover Wallet
nhnkbkgjikgcigadomkphalanndcapjk
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUAL Wallet
blnieiiffboillknjnepogjhkgnoapac
BitApp Wallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
cnmamaachppnkjgnildpdmkaakejnhae
Saturn Wallet
nkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
Bad response received from proxy server.
None of the authentication method was accepted by proxy server.
Operation completed successfully.
General SOCKS server failure.
Connection not allowed by ruleset.
Network unreachable.
Host unreachable.
Connection refused.
TTL expired.
Command not supported.
Address type not supported.
Unknown error.
https://pastebin.com/raw/
[Network] Proxy download failed, {0}
POST {0} HTTP/1.1 Host: {1} Content-Length: {2} Expect: 100-continue Connection: Keep-Alive
[Network] Tor upload failed over node {0}:{1}, message: {2}
<j{u4
]pa
&i={0}
1V]L>+
&ci={0}
&t={0}
.onion
gfA@_{>Si4=WuFC4HQnT]oXcJ dJ{lA G
[Network] All proxies offline... Using second reporting method.
127.0.0.1
[Network] Reporting to clearnet gateway
%hIpC`T
Bootstrapped 100
Tor
Tor.exe
https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true
x
SELECT Name FROM Win32_Processor
root\CIMV2
Name
Unknown CPU
SELECT Name FROM Win32_VideoController
root\CIMV2
Name
Unknown GPU
SELECT Size FROM Win32_LogicalDisk WHERE DriveType = 3
root\CIMV2
Size
Select TotalPhysicalMemory From Win32_ComputerSystem
TotalPhysicalMemory
Select Manufacturer from Win32_ComputerSystem
Manufacturer
Unknown manufacturer
Select Model from Win32_ComputerSystem
Model
Unknown model
- Eternity Stealer -
&^GgN=F]=R0F
Stub Version: {0}
Stub Location: {0}
System:
: al[BOUf[ ?'6t)
User
Admin
1!YH0YM|Ro
!)RG\JMh2p
9{ZuR=i)l
Hardware:
0JJoghg_)A
cZ[Yv=A0L'
RAMAmount: {0}Gb
QcW>0M*AO;Gb
? mKt4wY
Manufacturer: {0}
ScreenResolution: {0}
Yrw"_Q3\B: O
http://ip-api.com/json
query
{0} ({1})
country
countryCode
city
Unknown System
SELECT Name FROM Win32_OperatingSystem
root\CIMV2
Name
HARDWARE\Description\System\CentralProcessor\0
Identifier
x86
{0} ({1} bit)
Unknown
:
-
DRIVE
Grabber
.txt
Grabber
Important
(^([a-z]{3,10}( |\r|\n|\t)*){12,26}$|\d.*[a-z]{3,10}$)
Kz(Xq&O"Xi+s7TFaIfy/C|J/Q_T`xKC_t2*.ld y\Vb"|xQ(@@&CSthJVB3 )
USERPROFILE
Downloads
Stream cannot seek
Writing is not alowed
Writing is not alowed
Writing is not allowed
Central directory currently does not exist
Stream cannot be written
false
true
\\
\"
\n
\r
\t
\b
\f
\u
X4
false
true
true
null
JSON Parse: Too many closing brackets
JSON Parse: Quotation marks seems to be messed up.
:
false
true
0
eternity
algorithm
Algorithm cannot be null.
salt
Salt cannot be null.
password
Password cannot be null.
Derived key too long.
2108"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllC:\Windows\System32\cmd.exeStealer.e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3216findstr AllC:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3452"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3856netsh wlan show profile C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3892chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
3 625
Read events
3 569
Write events
56
Delete events
0

Modification events

(PID) Process:(3856) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1556) Stealer.e.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
3
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1556
Stealer.e.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
289 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1556
Stealer.e.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1556
Stealer.e.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
unknown
1556
Stealer.e.exe
104.20.68.143:443
pastebin.com
CLOUDFLARENET
unknown
1556
Stealer.e.exe
136.244.114.76:9051
AS-CHOOPA
FR
unknown
1556
Stealer.e.exe
159.65.156.237:1400
DIGITALOCEAN-ASN
IN
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
t.me
  • 149.154.167.99
whitelisted
pastebin.com
  • 104.20.68.143
  • 104.20.67.143
  • 172.67.34.170
shared

Threats

PID
Process
Class
Message
1556
Stealer.e.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
1556
Stealer.e.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
1556
Stealer.e.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
1556
Stealer.e.exe
Potential Corporate Privacy Violation
ET POLICY Socks5 Proxy to Onion (set)
1556
Stealer.e.exe
Potentially Bad Traffic
ET INFO Onion/TOR Proxy Client Request
1556
Stealer.e.exe
Potentially Bad Traffic
ET INFO Onion/TOR Successful Proxy Request Response (Inbound)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Stealer.e