MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40930473384224102157a7c80362e59859f0101cd16b71d6067611e38258ebf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ErbiumStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40930473384224102157a7c80362e59859f0101cd16b71d6067611e38258ebf6
SHA3-384 hash: db0ffc43db418b6c77cf44ce2def2aaf5b65026ccb17bd3f7ba9dfdfd74d53bbbfe080f977a6801d17ed5e66095b89be
SHA1 hash: e6fb4bb91eafb81f2a87d1fd650ef4fc703a01e7
MD5 hash: 3ba79f2ddbb2104a2a4d3bd94aeefe8c
humanhash: vegan-angel-red-finch
File name:3ba79f2ddbb2104a2a4d3bd94aeefe8c
Download: download sample
Signature ErbiumStealer
Create hunting rule
File size:572'928 bytes
First seen:2022-10-15 07:31:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0159e70f8cf5b2ba150a45a70975768 (1 x ErbiumStealer)
ssdeep 12288:46owAcQzdSngnvCr8Iw9urR62Mc+j12wn:LAcTnNJw0R62KAS
Threatray 453 similar samples on MalwareBazaar
TLSH T154C4DF13B841C0F3D2B6123148D493F8257DABAE07329A7B27EE1AFD5FAC2D15562361
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 ErbiumStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320566/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62791874.2652.515.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43230/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckNumberOfProcessor
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/634a61f3898b0652a4b7c464/reports/b9da8d3c-a9ec-498c-bcce-6df0ebc5ce93/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Certishell
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/805fcccf-511d-4d0e-9089-b177f05d632e
Result
Threat name:
Erbium Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091153
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Erbium Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 723763 Sample: 7heMJ3AYNZ.exe Startdate: 15/10/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 6 other signatures 2->50 9 7heMJ3AYNZ.exe 1 2->9         started        12 punpun.exe 2->12         started        14 punpun.exe 2->14         started        process3 signatures4 58 Contains functionality to inject code into remote processes 9->58 60 Writes to foreign memory regions 9->60 62 Allocates memory in foreign processes 9->62 64 Injects a PE file into a foreign processes 9->64 16 AppLaunch.exe 1 17 9->16         started        20 conhost.exe 9->20         started        process5 dnsIp6 36 79.137.196.121, 1488, 49725 PSKSET-ASRU Russian Federation 16->36 38 nanoplow.space 31.31.196.159, 443, 49727 AS-REGRU Russian Federation 16->38 30 C:\Users\user\AppData\Roaming\...\punpun.exe, PE32 16->30 dropped 32 C:\Users\user\AppData\...\InfoPacPac.exe, PE32 16->32 dropped 34 C:\Users\user\AppData\Local\...\zxc[1].exe, PE32 16->34 dropped 22 InfoPacPac.exe 16->22         started        file7 process8 signatures9 52 Machine Learning detection for dropped file 22->52 54 Writes to foreign memory regions 22->54 56 Injects a PE file into a foreign processes 22->56 25 vbc.exe 22->25         started        process10 dnsIp11 40 mamamiya137.ru 79.137.192.10, 49730, 80 PSKSET-ASRU Russian Federation 25->40 42 77.73.133.53, 49729, 80 AS43260TR Kazakhstan 25->42 28 WerFault.exe 23 9 25->28         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40930473384224102157a7c80362e59859f0101cd16b71d6067611e38258ebf6/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-14 22:09:13 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=icjqi4zyiisbaikxu7eagyxftbm7aea42fvxdvqgoyi6hasy5p3a._file
Verdict:
malicious
Similar samples:
215477085cd991b75733ab549c45c4669e7f052a72491c0b572087a682d5a0fb
ErbiumStealer
727be5cee6ca4efd8b66e94850461d4d1aab5757d8530d69596b2bd1967790a0
ErbiumStealer
8cec1b640f03ea4a093bf2eb41a817f34ab550cfdfe47a11a1814031188e5828
ErbiumStealer
a74503396d8399a29ff3305f4b4bd5526706d0026c45f8f667b02d17d23de37c
ErbiumStealer
d4b8bb0d23cc76d722839af1760053357bc39708d9712af2a882019cbe696613
ErbiumStealer
fd9057972eae84d688262e24b1d87082b18cf567da4bf172df8fe955cee8f75d
ErbiumStealer
+ 443 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221015-jcykbsfdam/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1ca34859-b51f-4125-920e-cad330a42069
Unpacked files
SH256 hash:
40930473384224102157a7c80362e59859f0101cd16b71d6067611e38258ebf6
MD5 hash:
3ba79f2ddbb2104a2a4d3bd94aeefe8c
SHA1 hash:
e6fb4bb91eafb81f2a87d1fd650ef4fc703a01e7
Link:
https://www.unpac.me/results/3c0051ea-1ddb-4ffd-a808-f3fb30b5afdd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/409304733842/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40930473384224102157a7c80362e59859f0101cd16b71d6067611e38258ebf6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ErbiumStealer

Executable exe 40930473384224102157a7c80362e59859f0101cd16b71d6067611e38258ebf6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2375666/
Cape
Cape
https://www.capesandbox.com/analysis/320566/

Comments