← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Analysis of the WhatsWorm campaign leading to the implementation of the Eternity Stealer
The WhatsWorm campaign represents a significant threat stemming from Brazilian threat actors who have exploited the popular instant messaging application WhatsApp to propagate malware. The campaign initiates with a malicious Visual Basic Script (.vbs) embedded within a ZIP file, disseminated via phishing messages to victims. This script is the starting point of the infection chain, enabling further stages of malware execution.
The third phase of the campaign involves the execution of a compiled AutolT interpreter, identified as jFqyDSPp.exe, which is designed to carry out a series of functions. It executes a script from an accompanying log file that operates as a Banking Information Stealer and orchestrates the loading of the subsequent fourth stage, known as Eternity Stealer. The AutolT script utilizes Reflective DLL Injection to execute the payload in memory, thereby evading detection systems typically employed in endpoint protection.
Indicators of Compromise (26)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | coffe-estilo.com | — | 2025-12-02 | |
| domain | empautlipa.com | — | 2025-12-02 | |
| domain | 013net.com.br | — | 2025-12-02 | |
| FileHash-SHA256 | 6e6ca850804982086b8d34e092ee0d5ed047fdc2bea18a55c360c317dd1d19d9 | — | 2025-12-02 | |
| FileHash-SHA1 | 718f9865a69c44a8c1ea08e2aeeb0f685cfee1e1 | — | 2025-12-02 | |
| FileHash-MD5 | 90a66eea0950c7b73eda8d212e1ad694 | — | 2025-12-02 | |
| FileHash-MD5 | 279274f8a137bf31425a9c2c14444b66 | MD5 of bdd2b7236a110b04c288380ad56e8d7909411da93eed2921301206de0cb0dda1 | 2025-12-02 | |
| FileHash-SHA1 | 6f7f971406854309d94139aa70bdc772308aff52 | SHA1 of bdd2b7236a110b04c288380ad56e8d7909411da93eed2921301206de0cb0dda1 | 2025-12-02 | |
| FileHash-SHA256 | bdd2b7236a110b04c288380ad56e8d7909411da93eed2921301206de0cb0dda1 | SHA256 of 6f7f971406854309d94139aa70bdc772308aff52 | 2025-12-02 | |
| FileHash-SHA256 | de07516f39845fb91d9b4f78abeb32933f39282540f8920fe6508057eedcbbea | — | 2025-12-02 | |
| FileHash-SHA1 | e38734e1d28d4e5621da8ff60aba0225c73699aa | — | 2025-12-02 | |
| FileHash-MD5 | 7bae034dc77dec9a72d6e4a262f3edae | — | 2025-12-02 | |
| FileHash-MD5 | 5bcb9f187320893d1b1c36fa0c18e094 | MD5 of 495697717be4a80c9db9fe2dbb40c57d4811ffe5ebceb9375666066b3dda73c3 | 2025-12-02 | |
| FileHash-SHA1 | a1c88a022e55d73a2894ddfb8b7bf5381d9f13dd | SHA1 of 495697717be4a80c9db9fe2dbb40c57d4811ffe5ebceb9375666066b3dda73c3 | 2025-12-02 | |
| FileHash-SHA256 | 495697717be4a80c9db9fe2dbb40c57d4811ffe5ebceb9375666066b3dda73c3 | SHA256 of a1c88a022e55d73a2894ddfb8b7bf5381d9f13dd | 2025-12-02 | |
| FileHash-SHA256 | ce24c65c285ff240a7555fafb85f53843085092e9133e1f8558a0f2898952737 | — | 2025-12-02 | |
| FileHash-SHA1 | 2be8d86ea8e1fd96c968ed02825385afc0be1915 | — | 2025-12-02 | |
| FileHash-MD5 | 8197f50266e988a63196eece2e2a5a9c | — | 2025-12-02 | |
| FileHash-SHA256 | fb71f48345e3568b7e7ba1eb5078b055b7350673a92379dba231fd66dbd9dadc | — | 2025-12-02 | |
| FileHash-SHA1 | fac812b468705d1376d86772664c08bef2983d17 | — | 2025-12-02 | |
| FileHash-MD5 | f1a81262cef067c447ff20ef3c5f22fc | — | 2025-12-02 | |
| FileHash-SHA256 | 0d1174292357f91d0d6721aefecd19873a8b27d295d1c6089efaa455c453a0aa | — | 2025-12-02 | |
| FileHash-MD5 | 95daa771a28eaed76eb01e1e8f403f7c | MD5 of cdd5717fd3bfd375c1c34237c24073e92ad6dccc | 2025-12-02 | |
| FileHash-SHA1 | cdd5717fd3bfd375c1c34237c24073e92ad6dccc | SHA1 of 95daa771a28eaed76eb01e1e8f403f7c | 2025-12-02 | |
| FileHash-SHA256 | 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82 | SHA256 of cdd5717fd3bfd375c1c34237c24073e92ad6dccc | 2025-12-02 | |
| CVE | CVE-2023-44487 | — | 2025-12-02 |