MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0e1ca584a89fa14547b43ee47ecca4dca89a58a893e51a7eead5e46a11eca5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ErbiumStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	a0e1ca584a89fa14547b43ee47ecca4dca89a58a893e51a7eead5e46a11eca5a
SHA3-384 hash:	3802ebe77cb9a41009dda7263a9baef1a7a324848d57a90138fb7b68d638f4396b4c68eaf18e01d2c729743d270db6bf
SHA1 hash:	8988df4078232d09c4014c8fcf276c5c7d9a1c14
MD5 hash:	9c481583c1d15addba6b844161db1b56
humanhash:	zebra-pennsylvania-crazy-lactose
File name:	9c481583c1d15addba6b844161db1b56.dll
Download:	download sample
Signature	ErbiumStealer Create hunting rule
File size:	2'843'648 bytes
First seen:	2022-09-09 12:34:17 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	c0d46b7ff0e53996feb53e4ba78f033e (18 x ErbiumStealer)
ssdeep	49152:HiEYw/IFUAu8m2O0qp+O7Obof0UCIOImB3pa4vAR1/d+c2oQ5hP58:X08OboFmNFAR1/d+soR8
Threatray	37 similar samples on MalwareBazaar
TLSH	T1CBD57D31EA569074DDC515B1D23D6FF36C389A245BB851F7EBE41CAAA5240C2333AB83
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	dll ErbiumStealer

Intelligence

File Origin

# of uploads :

# of downloads :

390

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308990/

Detection(s):

SecuriteInfo.com.Variant.Zusy.436531.23546.16884.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for synchronization primitives

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware shell32.dll

Link:

https://www.filescan.io/uploads/631b3346a90642bcbbf568e4/reports/534087bf-3138-497d-ad83-5ccf89e071f7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9b8ea87f-8fd3-4366-bc89-3ac0db7b3f0e

Result

Threat name:

Erbium Stealer

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1067772

Signature

C2 URLs / IPs found in malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Erbium Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a0e1ca584a89fa14547b43ee47ecca4dca89a58a893e51a7eead5e46a11eca5a/

Threat name:

Win32.Trojan.ErbiumStealer

Status:

Malicious

First seen:

2022-09-05 00:48:13 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=udq4uwckrh5bivd3ipxep3gkjxfitjmkre7fdj7ovvpenii6zjna._file

Verdict:

malicious

ErbiumStealer

49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0

ErbiumStealer

6af3bebd14348801e1bde3b0cf9e0155ae953503c27a3aa8670d742d4f7f2487

ErbiumStealer

96e9511209ca80dbd6ca81de9733b4945316e592f1a6f86f50e3354bd62f0782

ErbiumStealer

a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f

ErbiumStealer

acb94e8c6914b5cd410685acbf0e999446f7da45047d16a918b93519a3c67ff7

ErbiumStealer

ec3888e4031b443d7eed51bb3bd9d51207acc90cc60c49270e43724b059b7f63

ErbiumStealer

eec9517a9aaa43f9960212117b331b73f7de2760c181ca31f3576cb65d7b011a

ErbiumStealer

fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c

ErbiumStealer

feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9

ErbiumStealer

+ 27 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220909-psb9xsgba9/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Blocklisted process makes network request

Unpacked files

SH256 hash:

a0e1ca584a89fa14547b43ee47ecca4dca89a58a893e51a7eead5e46a11eca5a

MD5 hash:

9c481583c1d15addba6b844161db1b56

SHA1 hash:

8988df4078232d09c4014c8fcf276c5c7d9a1c14

Link:

https://www.unpac.me/results/e46aed45-a1f7-4b69-beb5-f9b9519491cd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a0e1ca584a89fa14547b43ee47ecca4dca89a58a893e51a7eead5e46a11eca5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Erbium_Stealer_Obfuscated Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	Erbium Stealer in its obfuscated format

Rule name:	INDICATOR_SUSPICIOUS_EXE_Discord_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Discord tokens regular expressions

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308990/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample