Statik Analiz — Eternity Stealer .NET | Tehdit: YUKSEK

Dosya Kimligi

SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
Dosya (ic)Eternity.exe (binary icerisinde string olarak dogrulama)
Boyut63,488 byte (PE32 GUI x86, .NET)
Entropi5.264 (normal .NET, ConfuserEx ile obfuske)
TimestampFUTURE (sahte -- cracked/distributed builder)

Eternity Stealer: Kimlik Onay

ETERNITY ONAY: Binary icerisinde "Eternity.exe" string ve "Clipboard Manager" -- Eternity Stealer ailesinin kesin tespiti!
Eternity.exe (ic string)\nWin32Clipboard\nClipboard Manager\n\n-- Eternity Stealer: .NET tabanli cok katmanli infostealer (Tor marketplace)\n-- Win32Clipboard + Clipboard Manager: BTC/ETH adresi pano hijack kapasitesi\n-- Clipboard hijacking: kurban kripto adres kopyaladiginda, saldirganinkiyle degistir\n-- Eternity Stealer ozellikleri: browser cookie, password, Discord token, crypto wallet

ConfuserEx Obfuskasyon + AES Sifreleme

Namespace: nhqiftpausgcgynnttjgxfqhlzyzmrh (ConfuserEx rastgele isim)\nnszdrfqrxkegpftpuymktqhezqbembnansi (ikinci obfuske class)\n\nAesCryptoServiceProvider\nCryptoStream\nICryptoTransform\nCreateDecryptor\nSystem.Security.Cryptography\nCryptoStreamMode\n\n-- ConfuserEx: .NET binary icin en yaygin obfuskator\n-- Rastgele uzun namespace: statik analizi engeller\n-- AesCryptoServiceProvider: C2 verisini AES-CBC ile sifrele/coz\n-- ICryptoTransform: sifreleme donusum arabirimi

Sifrelenmis Config / AES Anahtar Izleri (Base64)

kAyhVXsBS4XuXDfTaLHPibXIt8ju0CMDswxwQhuUo8NQ= (AES anahtar/IV?)\nzsRNjKlWUnQMP3KjuY3GERwRQ1TK4gbZNGJAPhEz8ZY=\nzLeUlw4pTbwD3hgmODOK4oOqrz/JajurtubNoqeCtnU=\nZ7vEAC/cqtokECnqu63CRKrubT5qwu2I+88QWyyFnPg=\nYXRiguTC0V1eXDZ4Avma0LzmWxAut7bFuKF88lH8WWsBlZf1YL1lqEZUptlYDlS8SC95...\n\n-- Cok sayida Base64 string: sifrelenmis C2 adresi + AES anahtar + konfigürasyon\n-- ToBase64String / FromBase64String: .NET Base64 cozme fonksiyonlari\n-- set_UseShellExecute: shell uzerinden ikincil payload calistirma

IOC

SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
DosyaEternity.exe (.NET PE32 x86 63KB)
ObfuskasyonConfuserEx (rastgele namespace)
ClipboardWin32Clipboard + Clipboard Manager (kripto pano hijack)
SifrelemeAES-CBC (AesCryptoServiceProvider + ICryptoTransform)
AES B64 keykAyhVXsBS4XuXDfTaLHPibXIt8ju0CMDswxwQhuUo8NQ=

EternityStealer — Malware Profile

Eternity Stealer .NET 63KB PE32. Confirmed by Eternity.exe internal string. ConfuserEx obfuscation (random namespace nhqiftpausgcgynnttjgxfqhlzyzmrh). AES-CBC encryption via AesCryptoServiceProvider + ICryptoTransform. Win32Clipboard + Clipboard Manager = cryptocurrency clipboard hijacking (replaces BTC/ETH addresses). Future timestamp = cracked builder distributed on forums. Multiple Base64 encoded AES keys/configs in binary.

Malware Type
Infostealer
Programming Language
.NET/C#
C2 Protocol
HTTP/C2
Target Systems
Kuresel

Capabilities & Behavior

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOC List (1 indicators)

IOC — EternityStealer
# SHA256 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
TypeValueNote
sha256 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
Tags
eternity-stealereternity-exe-string-confirmedconfuserex-obfuscation-random-namespaceaescryptoserviceprovider-icryptotransform-aes-cbc-encryptionwin32clipboard-clipboard-manager-pano-hijackbtc-eth-address-replacement-clipboard-hijackcryptostream-createdecryptor-net-cryptofuture-timestamp-fake-cracked-builderset-useshellexecute-secondary-payloadbase64-encoded-aes-key-config-kAyhVXsBS4XuXDfTaLHPibXIt8ju0