MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acb94e8c6914b5cd410685acbf0e999446f7da45047d16a918b93519a3c67ff7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ErbiumStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acb94e8c6914b5cd410685acbf0e999446f7da45047d16a918b93519a3c67ff7
SHA3-384 hash: 4491ffb31d6de9b77a4b227481b4acb1f77a175ef8be82428d68afe720b70bc9f5f086c00e2373859c5e05341170519b
SHA1 hash: c1ea178d41611e7eb9e849df77c9e377d4990aa5
MD5 hash: 18e3b8536663be78ab7828b18d26bf93
humanhash: spring-spring-uranus-hydrogen
File name:18e3b8536663be78ab7828b18d26bf93.dll
Download: download sample
Signature ErbiumStealer
Create hunting rule
File size:2'855'424 bytes
First seen:2022-09-07 09:53:04 UTC
Last seen:2022-09-07 10:49:31 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c0d46b7ff0e53996feb53e4ba78f033e (18 x ErbiumStealer)
ssdeep 49152:UnwY5UQC3ad5/iojZIphmzJAwSXX6cIOjYzxlOw+qo:yj9JAwyqKjYzxlOwk
Threatray 25 similar samples on MalwareBazaar
TLSH T141D57B22E6539071C9C526B0D13DAFB3AD7889244BB890F7A7D80C7E68355D1633BB87
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:dll ErbiumStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308407/
Detection(s):
SecuriteInfo.com.Variant.Zusy.436531.26916.21204.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar greyware shell32.dll zusy
Link:
https://www.filescan.io/uploads/63186a8fe73fb79b7afd4344/reports/9724cd84-afed-42ae-9340-b2345557b1ed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/57f3eb11-e5a1-4ba5-aafb-92c58d1b0b3f
Result
Threat name:
Erbium Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1066233
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Erbium Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acb94e8c6914b5cd410685acbf0e999446f7da45047d16a918b93519a3c67ff7/
Threat name:
Win32.Trojan.ErbiumStealer
Create hunting rule
Status:
Malicious
First seen:
2022-09-04 18:50:58 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vs4u5ddjcs242qigqwwl6duzsrdppwsfar6rnkiyxe2rti6gp73q._file
Verdict:
malicious
Similar samples:
03ea60a4f8df4d94d2f60eb4c1210d5148a1839e63d2c6f7b3a5a1e7e84cafc7
ErbiumStealer
070baa9e826044343063204cd804e84a928db2543f6fa6aa14de7d00001e258f
ErbiumStealer
1093c1e9fca0a4c5534aae05d5c75f79f8a60dc2ac1583ac901858b6f21b2afc
ErbiumStealer
14b4deb1ca7fbef93f431a1ab9fd4ce58b1d20c03342e359f3ff3734e116afd7
ErbiumStealer
19155af0ca359b2e31ee4d84e2792e5f0e26bc3f144255123cdb7231a5326cda
ErbiumStealer
27dbca88a1b01b220ca881a2636f539a1dd5048d1e5e2948e10185ca96edb36d
ErbiumStealer
49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0
ErbiumStealer
a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f
ErbiumStealer
cd83d5f6eec9731fbc6c1ce5eee962f82bcf881a63af1f478e6a097760f758df
ErbiumStealer
feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9
ErbiumStealer
+ 15 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220907-lwpgwaghcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
DCRat payload
DcRat
Windows security bypass
Unpacked files
SH256 hash:
acb94e8c6914b5cd410685acbf0e999446f7da45047d16a918b93519a3c67ff7
MD5 hash:
18e3b8536663be78ab7828b18d26bf93
SHA1 hash:
c1ea178d41611e7eb9e849df77c9e377d4990aa5
Link:
https://www.unpac.me/results/5b0b085e-f23c-4b32-ab33-b14a3d561faa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/acb94e8c6914/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/acb94e8c6914b5cd410685acbf0e999446f7da45047d16a918b93519a3c67ff7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Erbium_Stealer_Obfuscated
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Erbium Stealer in its obfuscated format
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308407/

Comments