Statik Analiz — Eternity Stealer .NET | Tehdit: YUKSEK
Dosya Kimligi
| SHA256 | 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3 |
|---|---|
| Dosya (ic) | Eternity.exe (binary icerisinde string olarak dogrulama) |
| Boyut | 63,488 byte (PE32 GUI x86, .NET) |
| Entropi | 5.264 (normal .NET, ConfuserEx ile obfuske) |
| Timestamp | FUTURE (sahte -- cracked/distributed builder) |
Eternity Stealer: Kimlik Onay
ETERNITY ONAY: Binary icerisinde "Eternity.exe" string ve "Clipboard Manager" -- Eternity Stealer ailesinin kesin tespiti!
Eternity.exe (ic string)\nWin32Clipboard\nClipboard Manager\n\n-- Eternity Stealer: .NET tabanli cok katmanli infostealer (Tor marketplace)\n-- Win32Clipboard + Clipboard Manager: BTC/ETH adresi pano hijack kapasitesi\n-- Clipboard hijacking: kurban kripto adres kopyaladiginda, saldirganinkiyle degistir\n-- Eternity Stealer ozellikleri: browser cookie, password, Discord token, crypto wallet
ConfuserEx Obfuskasyon + AES Sifreleme
Namespace: nhqiftpausgcgynnttjgxfqhlzyzmrh (ConfuserEx rastgele isim)\nnszdrfqrxkegpftpuymktqhezqbembnansi (ikinci obfuske class)\n\nAesCryptoServiceProvider\nCryptoStream\nICryptoTransform\nCreateDecryptor\nSystem.Security.Cryptography\nCryptoStreamMode\n\n-- ConfuserEx: .NET binary icin en yaygin obfuskator\n-- Rastgele uzun namespace: statik analizi engeller\n-- AesCryptoServiceProvider: C2 verisini AES-CBC ile sifrele/coz\n-- ICryptoTransform: sifreleme donusum arabirimi
Sifrelenmis Config / AES Anahtar Izleri (Base64)
kAyhVXsBS4XuXDfTaLHPibXIt8ju0CMDswxwQhuUo8NQ= (AES anahtar/IV?)\nzsRNjKlWUnQMP3KjuY3GERwRQ1TK4gbZNGJAPhEz8ZY=\nzLeUlw4pTbwD3hgmODOK4oOqrz/JajurtubNoqeCtnU=\nZ7vEAC/cqtokECnqu63CRKrubT5qwu2I+88QWyyFnPg=\nYXRiguTC0V1eXDZ4Avma0LzmWxAut7bFuKF88lH8WWsBlZf1YL1lqEZUptlYDlS8SC95...\n\n-- Cok sayida Base64 string: sifrelenmis C2 adresi + AES anahtar + konfigürasyon\n-- ToBase64String / FromBase64String: .NET Base64 cozme fonksiyonlari\n-- set_UseShellExecute: shell uzerinden ikincil payload calistirma
IOC
| SHA256 | 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3 |
|---|---|
| Dosya | Eternity.exe (.NET PE32 x86 63KB) |
| Obfuskasyon | ConfuserEx (rastgele namespace) |
| Clipboard | Win32Clipboard + Clipboard Manager (kripto pano hijack) |
| Sifreleme | AES-CBC (AesCryptoServiceProvider + ICryptoTransform) |
| AES B64 key | kAyhVXsBS4XuXDfTaLHPibXIt8ju0CMDswxwQhuUo8NQ= |
EternityStealer — Malware Profile
Eternity Stealer .NET 63KB PE32. Confirmed by Eternity.exe internal string. ConfuserEx obfuscation (random namespace nhqiftpausgcgynnttjgxfqhlzyzmrh). AES-CBC encryption via AesCryptoServiceProvider + ICryptoTransform. Win32Clipboard + Clipboard Manager = cryptocurrency clipboard hijacking (replaces BTC/ETH addresses). Future timestamp = cracked builder distributed on forums. Multiple Base64 encoded AES keys/configs in binary.
Malware Type
Infostealer
Programming Language
.NET/C#
C2 Protocol
HTTP/C2
Target Systems
Kuresel
Capabilities & Behavior
Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı
IOC List (1 indicators)
IOC — EternityStealer
# SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
| Type | Value | Note |
|---|---|---|
| sha256 | 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3 |