MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2100937b91f7602953e8cd2095c8d4a0a752aec9c7eab27a0537e363e717f260. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ErbiumStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2100937b91f7602953e8cd2095c8d4a0a752aec9c7eab27a0537e363e717f260
SHA3-384 hash: 50425089a857c3dd04bd782c7ba18585539cb8cd0a3ad51cba1bca00ef9673b7ff663ffbbad2ad7cea5ec6dd5b789e9e
SHA1 hash: a5ea0e6da9c1e37eebe4ed59c03b4ce5572b5031
MD5 hash: 174775a5a69df7d2ef9d27535d54e728
humanhash: undress-magazine-lemon-spaghetti
File name:174775a5a69df7d2ef9d27535d54e728.exe
Download: download sample
Signature ErbiumStealer
Create hunting rule
File size:1'014'272 bytes
First seen:2022-09-09 05:18:11 UTC
Last seen:2022-09-09 05:42:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1797ab721d550312b93ab992a1e04176 (32 x RedLineStealer, 7 x ErbiumStealer, 1 x PandaStealer)
ssdeep 12288:/1NAYFt7YHYXn/t72LSzQ6MIg/JWYHsHlAPBQxeCZJ6ZDZkZPL7+m78Mor:9NNt7YHYX/t72LGMR/kYUlAPBpwdor
Threatray 36 similar samples on MalwareBazaar
TLSH T10D253B29EB0729F0DA175772855EDB7B9B18BA158032AF7FFF4FDA18A4330123845162
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ErbiumStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
355
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
174775a5a69df7d2ef9d27535d54e728.exe
Verdict:
Malicious activity
Analysis date:
2022-09-09 05:19:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7f77639-6c0b-4347-8144-cf85841ef5e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308915/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.15292.1862.8465.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37153/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/631acccbf7a861bd921d0240/reports/e2d2ac3d-8ad5-4e4d-a48d-cfa8293ef5b9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cbe0d369-8872-42c1-b272-25f69f74d838
Result
Threat name:
Erbium Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067574
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found C&C like URL pattern
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Writes to foreign memory regions
Yara detected Erbium Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2100937b91f7602953e8cd2095c8d4a0a752aec9c7eab27a0537e363e717f260/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-09-04 09:11:28 UTC
File Type:
PE (Exe)
AV detection:
17 of 40 (42.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eeajg64r65qcsu7izuqjlsguuctvflwjy7vle6qfg7rwhzyx6jqa._file
Verdict:
malicious
Similar samples:
027a8ad0bc5e7e7460423eec9901b07922d83e40a48323bd36a3999aef9e6720
ErbiumStealer
03ea60a4f8df4d94d2f60eb4c1210d5148a1839e63d2c6f7b3a5a1e7e84cafc7
ErbiumStealer
19155af0ca359b2e31ee4d84e2792e5f0e26bc3f144255123cdb7231a5326cda
ErbiumStealer
30dacaf0c280ac6aa7c0fe4dcb89658c66132226e960bd01194e5f5614edd0b8
ErbiumStealer
49b1767e5f5c128884604182bab46c5c7aeae9c7d6e5316900d32768a577dcd1
ErbiumStealer
49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0
ErbiumStealer
acb94e8c6914b5cd410685acbf0e999446f7da45047d16a918b93519a3c67ff7
ErbiumStealer
ec3888e4031b443d7eed51bb3bd9d51207acc90cc60c49270e43724b059b7f63
ErbiumStealer
fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c
ErbiumStealer
feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9
ErbiumStealer
+ 26 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner upx
Link:
https://tria.ge/reports/220909-fzt9msged7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Launches sc.exe
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Downloads MZ/PE file
Executes dropped EXE
Stops running service(s)
UPX packed file
XMRig Miner payload
Modifies security service
xmrig
Unpacked files
SH256 hash:
bd6c63ec8c6a41d4a938591082a510ead95d57230ecf9af51834ee092fce4168
MD5 hash:
477cda8b74aab2f7c4ab1a851f7e3114
SHA1 hash:
376ee9dd797120a0eeccfc17f87f6fcdc7923f86
Link:
https://www.unpac.me/results/55034bb7-c757-4a95-9d52-b4caa4d7325f/
SH256 hash:
2100937b91f7602953e8cd2095c8d4a0a752aec9c7eab27a0537e363e717f260
MD5 hash:
174775a5a69df7d2ef9d27535d54e728
SHA1 hash:
a5ea0e6da9c1e37eebe4ed59c03b4ce5572b5031
Link:
https://www.unpac.me/results/55034bb7-c757-4a95-9d52-b4caa4d7325f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2100937b91f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2100937b91f7602953e8cd2095c8d4a0a752aec9c7eab27a0537e363e717f260

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Erbium_Loader
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Erbium Stealer's loader
Rule name:Erbium_Stealer_Obfuscated
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Erbium Stealer in its obfuscated format
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308915/

Comments