MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ErbiumStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0
SHA3-384 hash:	89b15f18731eb0124b0c594034a52f1dc904316c6a5219dbb1d13ba5e645f5c8c7e2dc91c2033883c1d0f1396dc6afaf
SHA1 hash:	24586e0871d3e19ec415ca6ce9883fa235e6d357
MD5 hash:	32722517964c71f49d809c6ca1c9f9ae
humanhash:	carpet-illinois-kitten-london
File name:	32722517964c71f49d809c6ca1c9f9ae.dll
Download:	download sample
Signature	ErbiumStealer Create hunting rule
File size:	2'855'424 bytes
First seen:	2022-09-07 09:53:21 UTC
Last seen:	2022-09-07 10:49:38 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	c0d46b7ff0e53996feb53e4ba78f033e (18 x ErbiumStealer)
ssdeep	49152:UnwY5UQC3ad5/iojZIphmzJAwSXX6cIOjYzxlOwiqo:yj9JAwyqKjYzxlOwo
Threatray	24 similar samples on MalwareBazaar
TLSH	T1D0D57B22E6539071C9C526B0D13DAFB3AD7889244BB890F7A7D80C7E68355D1633BB87
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	dll ErbiumStealer

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308408/

Detection(s):

SecuriteInfo.com.Variant.Zusy.436531.3215.17220.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware shell32.dll

Link:

https://www.filescan.io/uploads/63186a91a90642bcbbe902a3/reports/5f359de6-4e5e-479c-9ca6-602034d989d5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/45c82e3b-58ae-4554-a72e-65c35a6f72b8

Result

Threat name:

Erbium Stealer

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1066232

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Erbium Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0/

Threat name:

Win32.Trojan.ErbiumStealer

Status:

Malicious

First seen:

2022-09-04 00:54:28 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

21 of 41 (51.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jg4kl45lzep7qp2jx324wemaavwxtu47xedzabp5vns72dt7cpia._file

Verdict:

malicious

ErbiumStealer

070baa9e826044343063204cd804e84a928db2543f6fa6aa14de7d00001e258f

ErbiumStealer

1093c1e9fca0a4c5534aae05d5c75f79f8a60dc2ac1583ac901858b6f21b2afc

ErbiumStealer

14b4deb1ca7fbef93f431a1ab9fd4ce58b1d20c03342e359f3ff3734e116afd7

ErbiumStealer

19155af0ca359b2e31ee4d84e2792e5f0e26bc3f144255123cdb7231a5326cda

ErbiumStealer

27dbca88a1b01b220ca881a2636f539a1dd5048d1e5e2948e10185ca96edb36d

ErbiumStealer

a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f

ErbiumStealer

cd83d5f6eec9731fbc6c1ce5eee962f82bcf881a63af1f478e6a097760f758df

ErbiumStealer

fd3d08972c19c851242c0e83cdcc3bca60dfcd5d2a92c64872862266a8a9e6ba

ErbiumStealer

feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9

ErbiumStealer

+ 14 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/220907-lw8krabff3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Unpacked files

SH256 hash:

49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0

MD5 hash:

32722517964c71f49d809c6ca1c9f9ae

SHA1 hash:

24586e0871d3e19ec415ca6ce9883fa235e6d357

Link:

https://www.unpac.me/results/5e2c3389-c8f4-4dd0-89de-2ca714e8a10f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/49b8a5f3abc9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Erbium_Stealer_Obfuscated Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	Erbium Stealer in its obfuscated format

Rule name:	INDICATOR_SUSPICIOUS_EXE_Discord_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Discord tokens regular expressions

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308408/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample