MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96e9511209ca80dbd6ca81de9733b4945316e592f1a6f86f50e3354bd62f0782. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ErbiumStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96e9511209ca80dbd6ca81de9733b4945316e592f1a6f86f50e3354bd62f0782
SHA3-384 hash: 0ca3afb71f9827aab3ca0115f5dfcb26472f0c0c3757385b4a1f34821d59522d98d3f63419ebe690aabbb95a62510736
SHA1 hash: b8ccfdc564e9ea5dee1a85c55c8240a49e96c14d
MD5 hash: 10e0cfc8d7e70dd80065c8335ce20911
humanhash: one-sink-west-pluto
File name:10e0cfc8d7e70dd80065c8335ce20911.exe
Download: download sample
Signature ErbiumStealer
Create hunting rule
File size:638'920 bytes
First seen:2022-09-09 05:24:03 UTC
Last seen:2022-09-09 05:42:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a41bb85a2ca7e8422e7df8e92c308576 (2 x ErbiumStealer)
ssdeep 12288:shMb/cXEhzbhlzkqLxe4xZ99aiXNKIQnwFh8h5nP5XhmFlve35hdt4ORuRwEvLSu:shMb/c0hzbhlzkqDe5n5Clve3P4OivQy
Threatray 34 similar samples on MalwareBazaar
TLSH T12ED48D1239C18036EB7238324AE4EAB549AEF4711B224ADF57D8173E1F746D19E3163B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ErbiumStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
383
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
10e0cfc8d7e70dd80065c8335ce20911.exe
Verdict:
Malicious activity
Analysis date:
2022-09-09 05:25:36 UTC
Tags:
loader stealer
Link:
https://app.any.run/tasks/32a8b22b-84ed-47f6-8b4a-c9b145e1c95a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308920/
Detection(s):
SecuriteInfo.com.Variant.Lazy.239913.22865.4805.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37157/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/631ace351d4a849311e24276/reports/8c17812f-2695-4cb5-9210-f3d68d96c9e3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2570d88-d57d-40bf-83b5-accb6f7953bc
Result
Threat name:
Erbium Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067577
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Writes to foreign memory regions
Yara detected Erbium Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 700109 Sample: wwylLWJOem.exe Startdate: 09/09/2022 Architecture: WINDOWS Score: 100 58 collectivebuy.top 2->58 60 yuravogf.beget.tech 2->60 62 2 other IPs or domains 2->62 72 Snort IDS alert for network traffic 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 7 other signatures 2->78 9 wwylLWJOem.exe 1 2->9         started        signatures3 process4 signatures5 90 Contains functionality to inject code into remote processes 9->90 92 Writes to foreign memory regions 9->92 94 Allocates memory in foreign processes 9->94 96 Injects a PE file into a foreign processes 9->96 12 AppLaunch.exe 33 9->12         started        17 WerFault.exe 23 9 9->17         started        19 conhost.exe 9->19         started        process6 dnsIp7 64 77.73.133.53, 49709, 80 AS43260TR Kazakhstan 12->64 66 github.com 140.82.121.4, 443, 49713, 49716 GITHUBUS United States 12->66 70 3 other IPs or domains 12->70 48 C:\Users\user\AppData\...\zhiuvucywqubsk.exe, PE32 12->48 dropped 50 C:\Users\user\AppData\...\yhtngfyfoaj.exe, PE32 12->50 dropped 52 C:\Users\user\...\uacnqifxhzbmmsqxvhgdf.exe, PE32 12->52 dropped 56 13 other files (3 malicious) 12->56 dropped 98 Tries to harvest and steal ftp login credentials 12->98 100 Tries to harvest and steal browser information (history, passwords, etc) 12->100 21 hlgdhhzqky.exe 1 12->21         started        24 ogcwkjkmf.exe 1 12->24         started        26 uacnqifxhzbmmsqxvhgdf.exe 12->26         started        28 3 other processes 12->28 68 192.168.2.1 unknown unknown 17->68 54 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->54 dropped file8 signatures9 process10 signatures11 80 Multi AV Scanner detection for dropped file 21->80 82 Machine Learning detection for dropped file 21->82 84 Writes to foreign memory regions 21->84 30 AppLaunch.exe 2 21->30         started        32 conhost.exe 21->32         started        34 WerFault.exe 21->34         started        36 WerFault.exe 21->36         started        86 Allocates memory in foreign processes 24->86 88 Injects a PE file into a foreign processes 24->88 38 conhost.exe 24->38         started        40 AppLaunch.exe 24->40         started        42 WerFault.exe 24->42         started        44 3 other processes 26->44 46 4 other processes 28->46 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96e9511209ca80dbd6ca81de9733b4945316e592f1a6f86f50e3354bd62f0782/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-03 14:38:28 UTC
File Type:
PE (Exe)
AV detection:
16 of 40 (40.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3uvceqjzkanxvwkqhpjom5usrjrnzms6gtpq32q4m2uxvrpa6ba._file
Verdict:
malicious
Similar samples:
027a8ad0bc5e7e7460423eec9901b07922d83e40a48323bd36a3999aef9e6720
ErbiumStealer
03ea60a4f8df4d94d2f60eb4c1210d5148a1839e63d2c6f7b3a5a1e7e84cafc7
ErbiumStealer
19155af0ca359b2e31ee4d84e2792e5f0e26bc3f144255123cdb7231a5326cda
ErbiumStealer
2100937b91f7602953e8cd2095c8d4a0a752aec9c7eab27a0537e363e717f260
ErbiumStealer
30dacaf0c280ac6aa7c0fe4dcb89658c66132226e960bd01194e5f5614edd0b8
ErbiumStealer
49b1767e5f5c128884604182bab46c5c7aeae9c7d6e5316900d32768a577dcd1
ErbiumStealer
58b94e4512fb32ed431664032c8401fc2c6082121fb9e6c25a001ccf0c5ae4b0
ErbiumStealer
6af3bebd14348801e1bde3b0cf9e0155ae953503c27a3aa8670d742d4f7f2487
ErbiumStealer
ec3888e4031b443d7eed51bb3bd9d51207acc90cc60c49270e43724b059b7f63
ErbiumStealer
fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c
ErbiumStealer
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220909-f3rb6adegr/
Unpacked files
SH256 hash:
ef9711222b8e8b59efb9102e33cf7d2f327c27eaae6974143ff09d7cb1ef80a0
MD5 hash:
3cc974e34d4874442772472f689bf68b
SHA1 hash:
30322e06a34c7b6bae64a48b26c432185fd46fa1
Link:
https://www.unpac.me/results/f542e960-f01b-4f98-83f3-c72310eae2dc/
SH256 hash:
96e9511209ca80dbd6ca81de9733b4945316e592f1a6f86f50e3354bd62f0782
MD5 hash:
10e0cfc8d7e70dd80065c8335ce20911
SHA1 hash:
b8ccfdc564e9ea5dee1a85c55c8240a49e96c14d
Link:
https://www.unpac.me/results/f542e960-f01b-4f98-83f3-c72310eae2dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/96e9511209ca80dbd6ca81de9733b4945316e592f1a6f86f50e3354bd62f0782

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:Erbium_Loader
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Erbium Stealer's loader
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308920/

Comments