MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49b1767e5f5c128884604182bab46c5c7aeae9c7d6e5316900d32768a577dcd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ErbiumStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49b1767e5f5c128884604182bab46c5c7aeae9c7d6e5316900d32768a577dcd1
SHA3-384 hash: 9de59b3da6cd63d47868a5ee33934e9d91a11b075c66aa7c6ebaff30d7b648c056b87b71b800278405a6ab1ad53d6734
SHA1 hash: a87714a5e9e243acf25dfef8a99268d175d214a0
MD5 hash: 4fcaeadea829d30197d895daa2f3c78f
humanhash: jersey-bluebird-stream-fifteen
File name:4fcaeadea829d30197d895daa2f3c78f.exe
Download: download sample
Signature ErbiumStealer
Create hunting rule
File size:637'896 bytes
First seen:2022-09-08 10:01:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a41bb85a2ca7e8422e7df8e92c308576 (2 x ErbiumStealer)
ssdeep 12288:UClb/cXfZn78WfcqzFa4FNR9iyYXNWIQnwFh8h5nS9zhmhtzWbJ49X4jFuVwYrSf:UClb/cPZn78WfcqTyi5nKutzWbU4jGwD
Threatray 357 similar samples on MalwareBazaar
TLSH T183D48C1639C28036E67338324EE8E6B549AEB4711B7646DF53D8193D2F346D09E3263B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ErbiumStealer exe


Avatar
abuse_ch
None C2:
http://yuravogf.beget.tech/api.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://yuravogf.beget.tech/api.php https://threatfox.abuse.ch/ioc/848478/

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FREE FORTNITE HACK-V2.1.exe
Verdict:
No threats detected
Analysis date:
2022-09-05 02:48:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f311d89-ce97-4f72-ba12-9f4b65767754

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308723/
Detection(s):
SecuriteInfo.com.Variant.Lazy.239913.6777.10397.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37055/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6319bdf855480bd187d5c946/reports/51054b5b-d999-4d13-83a4-777d679e89e6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/260e85e1-9673-4648-a293-3b24577bae45
Result
Threat name:
Erbium Stealer, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066996
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Writes to foreign memory regions
Yara detected Erbium Stealer
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 699528 Sample: qd4B4U104q.exe Startdate: 08/09/2022 Architecture: WINDOWS Score: 100 59 ijustrun.xyz 2->59 61 yuravogf.beget.tech 2->61 63 8 other IPs or domains 2->63 73 Snort IDS alert for network traffic 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 8 other signatures 2->79 9 qd4B4U104q.exe 1 2->9         started        signatures3 process4 signatures5 91 Writes to foreign memory regions 9->91 93 Allocates memory in foreign processes 9->93 95 Injects a PE file into a foreign processes 9->95 12 AppLaunch.exe 33 9->12         started        17 WerFault.exe 23 9 9->17         started        19 conhost.exe 9->19         started        process6 dnsIp7 65 77.73.133.53, 49737, 80 AS43260TR Kazakhstan 12->65 67 github.com 140.82.121.3, 443, 49741, 49742 GITHUBUS United States 12->67 69 3 other IPs or domains 12->69 49 C:\Users\user\...\yticiywbjedkovnpxuqk.exe, PE32 12->49 dropped 51 C:\Users\user\AppData\...\lhmmrrbpggw.exe, PE32 12->51 dropped 53 C:\Users\user\...\htvykhuyksqxkcterxs.exe, PE32 12->53 dropped 57 13 other files (3 malicious) 12->57 dropped 97 Tries to harvest and steal ftp login credentials 12->97 99 Tries to harvest and steal browser information (history, passwords, etc) 12->99 21 htvykhuyksqxkcterxs.exe 1 12->21         started        24 akyhyzuqjtmerlc.exe 12->24         started        26 higfmfmgricmn.exe 1 12->26         started        28 3 other processes 12->28 55 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->55 dropped file8 signatures9 process10 signatures11 81 Multi AV Scanner detection for dropped file 21->81 83 Machine Learning detection for dropped file 21->83 85 Writes to foreign memory regions 21->85 30 WerFault.exe 21->30         started        33 AppLaunch.exe 2 21->33         started        35 conhost.exe 21->35         started        37 WerFault.exe 21->37         started        87 Allocates memory in foreign processes 24->87 89 Injects a PE file into a foreign processes 24->89 39 conhost.exe 24->39         started        45 2 other processes 24->45 41 conhost.exe 26->41         started        43 AppLaunch.exe 26->43         started        47 3 other processes 28->47 process12 dnsIp13 71 192.168.2.1 unknown unknown 30->71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49b1767e5f5c128884604182bab46c5c7aeae9c7d6e5316900d32768a577dcd1/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-09-04 13:03:12 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jgyxm7s7lqjirbdaigblvndmlr5ov2oh23stc2ia2mtwrjlx3tiq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
03ea60a4f8df4d94d2f60eb4c1210d5148a1839e63d2c6f7b3a5a1e7e84cafc7
ErbiumStealer
070baa9e826044343063204cd804e84a928db2543f6fa6aa14de7d00001e258f
ErbiumStealer
14b4deb1ca7fbef93f431a1ab9fd4ce58b1d20c03342e359f3ff3734e116afd7
ErbiumStealer
19155af0ca359b2e31ee4d84e2792e5f0e26bc3f144255123cdb7231a5326cda
ErbiumStealer
27dbca88a1b01b220ca881a2636f539a1dd5048d1e5e2948e10185ca96edb36d
ErbiumStealer
49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0
ErbiumStealer
a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f
ErbiumStealer
acb94e8c6914b5cd410685acbf0e999446f7da45047d16a918b93519a3c67ff7
ErbiumStealer
cd83d5f6eec9731fbc6c1ce5eee962f82bcf881a63af1f478e6a097760f758df
ErbiumStealer
feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9
ErbiumStealer
+ 347 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220908-l2akxaecc8/
Unpacked files
SH256 hash:
aca41caf157e6ceba32dfe00eeced7af198f1361e306d4cf4c4b95b5bd80611a
MD5 hash:
243edc076aadd01988545d55655624a0
SHA1 hash:
0c9b04a8038eee5517aab947f0a48f0437a11e7f
Link:
https://www.unpac.me/results/94c12ce1-1213-448b-996a-543ba7b08857/
SH256 hash:
49b1767e5f5c128884604182bab46c5c7aeae9c7d6e5316900d32768a577dcd1
MD5 hash:
4fcaeadea829d30197d895daa2f3c78f
SHA1 hash:
a87714a5e9e243acf25dfef8a99268d175d214a0
Link:
https://www.unpac.me/results/94c12ce1-1213-448b-996a-543ba7b08857/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49b1767e5f5c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/49b1767e5f5c128884604182bab46c5c7aeae9c7d6e5316900d32768a577dcd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308723/

Comments