MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec3888e4031b443d7eed51bb3bd9d51207acc90cc60c49270e43724b059b7f63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ErbiumStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec3888e4031b443d7eed51bb3bd9d51207acc90cc60c49270e43724b059b7f63
SHA3-384 hash: 1037703f3a92e7afa7b51df22553409c8f7980ffddd8fd82c1dee2c9f6c9da75c6d605127e8ac716d68e2e8eb21b09b6
SHA1 hash: 85c2ec0d59900331c61731fec723004544ce6796
MD5 hash: 252d06bd87a3287e88b25b5686820dc5
humanhash: tango-helium-skylark-winner
File name:jeammah5_beget_tech.bin
Download: download sample
Signature ErbiumStealer
Create hunting rule
File size:2'877'952 bytes
First seen:2022-09-08 23:59:22 UTC
Last seen:2022-09-09 00:44:55 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c0d46b7ff0e53996feb53e4ba78f033e (18 x ErbiumStealer)
ssdeep 49152:Jzl1rpbUrqvv0v2rQVt8nqwI7lOOYce2ek:P1Kqvv07noI7lOOYcK
Threatray 29 similar samples on MalwareBazaar
TLSH T155D58E31E643D061D9C524B0EA7DBFF26C38992487B860F7E6E40CAAA5254D1733FB52
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter r3dbU7z
Tags:dll ErbiumStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
389
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308873/
Detection(s):
SecuriteInfo.com.Variant.Zusy.436531.13274.15633.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/631a8245d94ccae410869350/reports/4bf068b7-e12d-4dd7-8a4d-007bd9d35fe4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b46a4510-8ba2-405c-bdf7-0ce250fda841
Result
Threat name:
Erbium Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067491
Signature
C2 URLs / IPs found in malware configuration
Found C&C like URL pattern
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Yara detected Erbium Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec3888e4031b443d7eed51bb3bd9d51207acc90cc60c49270e43724b059b7f63/
Threat name:
Win32.Trojan.ErbiumStealer
Create hunting rule
Status:
Malicious
First seen:
2022-09-09 00:00:12 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5q4irzaddncd27xnkg5txwovcid2zsimyygesjyoinzewbm3p5rq._file
Verdict:
malicious
Similar samples:
070baa9e826044343063204cd804e84a928db2543f6fa6aa14de7d00001e258f
ErbiumStealer
14b4deb1ca7fbef93f431a1ab9fd4ce58b1d20c03342e359f3ff3734e116afd7
ErbiumStealer
19155af0ca359b2e31ee4d84e2792e5f0e26bc3f144255123cdb7231a5326cda
ErbiumStealer
27dbca88a1b01b220ca881a2636f539a1dd5048d1e5e2948e10185ca96edb36d
ErbiumStealer
49b1767e5f5c128884604182bab46c5c7aeae9c7d6e5316900d32768a577dcd1
ErbiumStealer
49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0
ErbiumStealer
a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f
ErbiumStealer
acb94e8c6914b5cd410685acbf0e999446f7da45047d16a918b93519a3c67ff7
ErbiumStealer
fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c
ErbiumStealer
feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9
ErbiumStealer
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220909-aab4wagbf3/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
ec3888e4031b443d7eed51bb3bd9d51207acc90cc60c49270e43724b059b7f63
MD5 hash:
252d06bd87a3287e88b25b5686820dc5
SHA1 hash:
85c2ec0d59900331c61731fec723004544ce6796
Link:
https://www.unpac.me/results/673c229a-f43f-4790-a9b0-fd949683ce89/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec3888e4031b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec3888e4031b443d7eed51bb3bd9d51207acc90cc60c49270e43724b059b7f63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Erbium_Stealer_Obfuscated
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Erbium Stealer in its obfuscated format
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ErbiumStealer

DLL dll ec3888e4031b443d7eed51bb3bd9d51207acc90cc60c49270e43724b059b7f63

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/308873/

Comments