MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6aa01bf718c57ef526ea7eb5f683df76e3c12511fdb3868b5a1164702875f9e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ErbiumStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	6aa01bf718c57ef526ea7eb5f683df76e3c12511fdb3868b5a1164702875f9e8
SHA3-384 hash:	3750f218f6feb4a87512a0e58efc8d8d7929c7ee9d30fd857c0e405b0525e1e512fc74606a9c467f5ae9cdfb75749826
SHA1 hash:	719d26597fed080f57d61d569bd56d9f744b96a0
MD5 hash:	f70b953bef8ec09a85da8c36e2633703
humanhash:	kentucky-tennessee-golf-beer
File name:	sample.exe
Download:	download sample
Signature	ErbiumStealer Create hunting rule
File size:	2'567'672 bytes
First seen:	2022-09-20 21:47:18 UTC
Last seen:	2022-09-20 22:59:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep	24576:PGQor2FM4bZZdYUY4Byer15YMp4QvXoGa5StylCgyoI/lcXLUl3RuQ55313U:uQGSMoZmMkyoI/KXwl3+
TLSH	T17AC509039A8B0E75DDD23BB461CB633FA734FD30CA2A9B7BB608C53559532C5681A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	z820r
Tags:	ErbiumStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://github.com/Gan02s/REX-STEALER/archive/refs/heads/main.zip

Verdict:

Malicious activity

Analysis date:

2022-09-18 15:45:35 UTC

Tags:

stealer loader

Link:

https://app.any.run/tasks/a87471cb-8fa7-4ff2-9490-01e0af27444d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/311812/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.143318.13340.14012.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a process

Launching the default Windows debugger (dwwin.exe)

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/38317/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

anti-debug anti-vm babar overlay spyeye

Link:

https://www.filescan.io/uploads/632a3591b333b2ec6b3b651d/reports/1a8ebd71-9dea-4f62-9c8e-5cf90ac422b4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/499b22f4-c093-4418-b99f-aeb4ee358158

Result

Threat name:

Erbium Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1074098

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found C&C like URL pattern

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Writes to foreign memory regions

Yara detected Erbium Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6aa01bf718c57ef526ea7eb5f683df76e3c12511fdb3868b5a1164702875f9e8/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-09-18 17:30:03 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nkqbx5yyyv7pkjxkp227na67o3r4cjir7wzync22cfshakdv7hua._file

Verdict:

malicious

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig evasion miner upx

Link:

https://tria.ge/reports/220920-1nr1csaadn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Launches sc.exe

Suspicious use of SetThreadContext

Downloads MZ/PE file

Executes dropped EXE

Stops running service(s)

UPX packed file

XMRig Miner payload

Modifies security service

xmrig

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/93500679-5168-4e57-aed6-28993bfede78

Unpacked files

SH256 hash:

928569861c687067dad7adb29deff5561cfcefe00518c29b2c87dfe68e6c17f4

MD5 hash:

7ece113177a262a910897c573c34539c

SHA1 hash:

7f5a75bbbc3122e41eae25a207cedcf2603fc26e

Link:

https://www.unpac.me/results/96fc30f0-134d-4c39-8684-fda1d4d2afff/

SH256 hash:

6aa01bf718c57ef526ea7eb5f683df76e3c12511fdb3868b5a1164702875f9e8

MD5 hash:

f70b953bef8ec09a85da8c36e2633703

SHA1 hash:

719d26597fed080f57d61d569bd56d9f744b96a0

Link:

https://www.unpac.me/results/96fc30f0-134d-4c39-8684-fda1d4d2afff/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6aa01bf718c5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6aa01bf718c57ef526ea7eb5f683df76e3c12511fdb3868b5a1164702875f9e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Erbium_Loader Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	Detects Erbium Stealer's loader

Rule name:	Erbium_Stealer_Obfuscated Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	Erbium Stealer in its obfuscated format

Rule name:	INDICATOR_SUSPICIOUS_EXE_Discord_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Discord tokens regular expressions

Rule name:	RansomwareTest3 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest6 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest7 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/c5b28d35-14be-438a-a12d-c194cdaa4aea/

Dropping

ErbiumStealer

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/311812/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample