MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ae277d34684f2f410a179870d44d26c7be666bcd5654484b41ba9af15d83486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ErbiumStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	5ae277d34684f2f410a179870d44d26c7be666bcd5654484b41ba9af15d83486
SHA3-384 hash:	d2535a0ceed047af05df35856b3aceafb47afee7076c26ba2f4abe769374154bda4ba0569fddc6b8ff1dade0e53b9926
SHA1 hash:	d8813bd225ad931459b827664986d01b9b109497
MD5 hash:	21e5caefc385acd7e8ca2ab670b4d1f9
humanhash:	table-red-earth-summer
File name:	21e5caefc385acd7e8ca2ab670b4d1f9.exe
Download:	download sample
Signature	ErbiumStealer Create hunting rule
File size:	2'354'975 bytes
First seen:	2022-11-09 14:02:52 UTC
Last seen:	2022-11-09 15:48:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b11acca9560fed16383fa71b92439615 (1 x RedLineStealer, 1 x RecordBreaker, 1 x ErbiumStealer)
ssdeep	24576:bBE6YEYGy1EUHVMCyrQGsesToC50kMBIpsrL4/Ll3RuQ55313j:bBmqC50kMBIpsrUzl3R
TLSH	T131B50A036A8B0D75DDD27BB451CB533AA738EE30CA2A9B7FF609C53589532C46C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	ErbiumStealer exe

abuse_ch

ErbiumStealer C2:
http://77.73.133.50/api.php

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

21e5caefc385acd7e8ca2ab670b4d1f9.exe

Verdict:

Suspicious activity

Analysis date:

2022-11-09 14:04:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/84d30eab-8d11-4698-997c-1540a08c552e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/331241/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader45.29546.6103.14500.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Sending an HTTP GET request

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/50540/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay spyeye

Link:

https://www.filescan.io/uploads/636bb31882dd9f2e26532964/reports/91fde7eb-877e-4301-94f8-6dc06c81db69/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1ee6d8ff-8aa3-48b4-a6e1-2dda256f08b3

Result

Threat name:

Erbium Stealer

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1109367

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes to foreign memory regions

Yara detected Erbium Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ae277d34684f2f410a179870d44d26c7be666bcd5654484b41ba9af15d83486/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-11-03 16:02:22 UTC

File Type:

PE (Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=llrhpu2gqtzpiefbpgdq2rgsnr56mzv42vsujbfudou26foygsda._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/221109-rcnzwsheb6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Unpacked files

SH256 hash:

14a6a7ddc55fce7dcb55aa3c31a5f14394fec68063b826872081dc08dde4bfdf

MD5 hash:

b2d99df8584362215a6facfca4135456

SHA1 hash:

793fc7fc596395bf00f68a0299b7d543deabecf5

Detections:

win_erbium_stealer_auto

Link:

https://www.unpac.me/results/92095e4c-43b8-463e-a770-5480151cf9e6/

SH256 hash:

5ae277d34684f2f410a179870d44d26c7be666bcd5654484b41ba9af15d83486

MD5 hash:

21e5caefc385acd7e8ca2ab670b4d1f9

SHA1 hash:

d8813bd225ad931459b827664986d01b9b109497

Link:

https://www.unpac.me/results/92095e4c-43b8-463e-a770-5480151cf9e6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ae277d34684f2f410a179870d44d26c7be666bcd5654484b41ba9af15d83486

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/331241/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample