MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ErbiumStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f
SHA3-384 hash:	94311876b9cedb922da66eb5e6370396d10e042bbd574d7b4b46e6be87a0ef379628376820dd31d54fea2e84e7fb5c23
SHA1 hash:	ca8690462bb3be30a3753da0c44f191fb451b019
MD5 hash:	a455c4d23f52ca06783783719bdfe2e3
humanhash:	chicken-double-avocado-river
File name:	1.bin
Download:	download sample
Signature	ErbiumStealer Create hunting rule
File size:	2'861'568 bytes
First seen:	2022-09-07 07:06:22 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	c0d46b7ff0e53996feb53e4ba78f033e (18 x ErbiumStealer)
ssdeep	49152:ASWRpunqi2Q7f2yrLHTT1Z6ymiRuK+95kd:FWNi2QBnFZ6ymiRuKCa
Threatray	23 similar samples on MalwareBazaar
TLSH	T14CD57D32E756D171CAC516B0A13D6FF36C3C99249BB8A0F3E2E41DAA65241D1233AF47
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	1ZRR4H
Tags:	dll ErbiumStealer

Intelligence

File Origin

# of uploads :

# of downloads :

218

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308352/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Creating a file in the system32 subdirectories

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware shell32.dll

Link:

https://www.filescan.io/uploads/6318431b705d49fc19d0272f/reports/88e53acf-a46f-4fe2-bf3a-e4e5608fa8c4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ed2a657d-551e-4d1e-a290-f397a703ba8a

Result

Threat name:

Erbium Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1066146

Signature

Found C&C like URL pattern

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Yara detected Erbium Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f/

Threat name:

Win32.Trojan.ErbiumStealer

Status:

Malicious

First seen:

2022-09-07 07:07:10 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

17 of 40 (42.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uviwrmkn4lihixsw2yc4zozqvfi7xvbzl4luor45rx3chlcvbkhq._file

Verdict:

malicious

ErbiumStealer

070baa9e826044343063204cd804e84a928db2543f6fa6aa14de7d00001e258f

ErbiumStealer

1093c1e9fca0a4c5534aae05d5c75f79f8a60dc2ac1583ac901858b6f21b2afc

ErbiumStealer

14b4deb1ca7fbef93f431a1ab9fd4ce58b1d20c03342e359f3ff3734e116afd7

ErbiumStealer

19155af0ca359b2e31ee4d84e2792e5f0e26bc3f144255123cdb7231a5326cda

ErbiumStealer

27dbca88a1b01b220ca881a2636f539a1dd5048d1e5e2948e10185ca96edb36d

ErbiumStealer

cd83d5f6eec9731fbc6c1ce5eee962f82bcf881a63af1f478e6a097760f758df

ErbiumStealer

f229ca296345afadd9a7f0f4b9bfb45a71468631e07315502b31eadbe893db6a

ErbiumStealer

fd3d08972c19c851242c0e83cdcc3bca60dfcd5d2a92c64872862266a8a9e6ba

ErbiumStealer

feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9

ErbiumStealer

+ 13 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/220907-hxm4nabcc7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

Blocklisted process makes network request

Unpacked files

SH256 hash:

a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f

MD5 hash:

a455c4d23f52ca06783783719bdfe2e3

SHA1 hash:

ca8690462bb3be30a3753da0c44f191fb451b019

Link:

https://www.unpac.me/results/74ab9796-59ac-49c1-affc-eb1344951bb4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a55168b14de2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Erbium_Stealer_Obfuscated Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	Erbium Stealer in its obfuscated format

Rule name:	INDICATOR_SUSPICIOUS_EXE_Discord_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Discord tokens regular expressions