File name:

Project Eternity.rar

Full analysis: https://app.any.run/tasks/d54c66fc-36fb-4d35-b6c2-ce398d8efb5f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 20, 2024, 13:10:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
eternity
stealer
growtopia
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D9EDEB080BE5AA71322E0CF80CBD7C8B

SHA1:

6E302F5D10265A775330F163BA776A2FA2B8D24F

SHA256:

5BFE66342387FA1FA6139135493B3E90CFC0CD9A4DF4F381C939794F63C75EB4

SSDEEP:

49152:akKIIq+2PlaufcpYLG/9FV24ylr5OWFeddW9SaM5pnKhiayE5OhJtbAabRlBBVjR:4IlSkG/Rvyx5Owez9aSnKgaymgbA+h2W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3976)
      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Steals credentials from Web Browsers

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Actions looks like stealing of personal data

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Create files in the Startup directory

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • GROWTOPIA has been detected (YARA)

      • Project Eternity.exe (PID: 1120)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3976)

    • Executable content was dropped or overwritten

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Reads the Internet Settings

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Reads settings of System Certificates

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Contacting a server suspected of hosting an CnC

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3976)

    • Checks supported languages

      • Project Eternity.exe (PID: 1120)
      • dcd.exe (PID: 2036)
      • dcd.exe (PID: 1604)
      • Project Eternity.exe (PID: 316)
      • wmpnscfg.exe (PID: 1664)

    • Reads the computer name

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)
      • wmpnscfg.exe (PID: 1664)

    • Manual execution by a user

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)
      • wmpnscfg.exe (PID: 1664)

    • Disables trace logs

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Reads the machine GUID from the registry

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Reads Environment values

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Create files in a temporary directory

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Reads the software policy settings

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)

    • Creates files or folders in the user directory

      • Project Eternity.exe (PID: 1120)
      • Project Eternity.exe (PID: 316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe #GROWTOPIA project eternity.exe dcd.exe no specs project eternity.exe wmpnscfg.exe no specs dcd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Users\admin\Desktop\Project Eternity\Project Eternity.exe" C:\Users\admin\Desktop\Project Eternity\Project Eternity.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3762504530
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\project eternity\project eternity.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1120"C:\Users\admin\Desktop\Project Eternity\Project Eternity.exe" C:\Users\admin\Desktop\Project Eternity\Project Eternity.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3762504530
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\project eternity\project eternity.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1604"C:\Users\admin\AppData\Local\Temp\dcd.exe" -path=""C:\Users\admin\AppData\Local\Temp\dcd.exeProject Eternity.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dcd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
1664"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2036"C:\Users\admin\AppData\Local\Temp\dcd.exe" -path=""C:\Users\admin\AppData\Local\Temp\dcd.exeProject Eternity.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dcd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
3976"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Project Eternity.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
13 901
Read events
13 850
Write events
51
Delete events
0

Modification events

(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Project Eternity.rar
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
12
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.48836\Project Eternity\Project Eternity.exeexecutable
MD5:50074D499BBBD1DC6BA6E2618A9D9E30
SHA256:4EC78F05F11B92BB149115551E9D592E4D30274F87BB93FE9AB68AB5FE4C908C
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.48836\Project Eternity\System.Buffers.dllexecutable
MD5:A48936868ABF91274DEF7231AA52DBB5
SHA256:423200010A7684763451473A4FB206DFA074FC8249676621EF9D9A13417D364D
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.48836\Project Eternity\System.Numerics.Vectors.dllexecutable
MD5:AAA2CBF14E06E9D3586D8A4ED455DB33
SHA256:1D3EF8698281E7CF7371D1554AFEF5872B39F96C26DA772210A33DA041BA1183
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.48836\Project Eternity\ENet.Managed.dllexecutable
MD5:816A81AC833687F237182AD574A4D6B2
SHA256:8B75146DB5DC7240AB1C3369AA424568A83BB73AE74EB8E8A79B7F440242DAA7
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.48836\Project Eternity\Read me\Read me.txttext
MD5:5D3052FEEC5BE7451E60265CD6EF7231
SHA256:94497E5D4414E1ED4B6274B4D717C2F471FCA5FF9B7AB5DE6E10094ADAF32B04
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.48836\Project Eternity\System.Runtime.CompilerServices.Unsafe.dllexecutable
MD5:C4CFE03F75BC01969BC936C9C09BAA12
SHA256:A2D38A330DF390CC739689369A36520FE491D3660D73974EB46B51608F50675B
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.48836\Project Eternity\System.Memory.dllexecutable
MD5:F09441A1EE47FB3E6571A3A448E05BAF
SHA256:BF3FB84664F4097F1A8A9BC71A51DCF8CF1A905D4080A4D290DA1730866E856F
1120Project Eternity.exeC:\Users\admin\AppData\Local\Temp\dcd.exeexecutable
MD5:B5AC46E446CEAD89892628F30A253A06
SHA256:DEF7AFCB65126C4B04A7CBF08C693F357A707AA99858CAC09A8D5E65F3177669
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.48836\Project Eternity\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
316Project Eternity.exeC:\Users\admin\AppData\Local\Temp\dcd.exeexecutable
MD5:B5AC46E446CEAD89892628F30A253A06
SHA256:DEF7AFCB65126C4B04A7CBF08C693F357A707AA99858CAC09A8D5E65F3177669
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
11
DNS requests
4
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1120
Project Eternity.exe
GET
204
142.250.185.238:80
http://google.com/generate_204
unknown
unknown
GET
204
142.250.185.238:80
http://google.com/generate_204
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1120
Project Eternity.exe
142.250.185.238:80
google.com
GOOGLE
US
whitelisted
1120
Project Eternity.exe
104.21.20.223:443
eterprx.net
CLOUDFLARENET
unknown
1120
Project Eternity.exe
172.67.199.29:443
eternitypr.net
CLOUDFLARENET
US
unknown
1680
WerFault.exe
104.208.16.93:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
316
Project Eternity.exe
142.250.185.238:80
google.com
GOOGLE
US
whitelisted
316
Project Eternity.exe
104.21.20.223:443
eterprx.net
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
eterprx.net
  • 104.21.20.223
  • 172.67.194.181
malicious
eternitypr.net
  • 172.67.199.29
  • 104.21.21.142
malicious
watson.microsoft.com
  • 104.208.16.93
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)
1120
Project Eternity.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)
1088
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)
1120
Project Eternity.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)
316
Project Eternity.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)
316
Project Eternity.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Project Eternity.rar