MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f63dc116cf6f2bf6c2f33898d73ef0b974ed3fa9de67d840b50b35ee2d9390d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ErbiumStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f63dc116cf6f2bf6c2f33898d73ef0b974ed3fa9de67d840b50b35ee2d9390d9
SHA3-384 hash: ee7ee2b30207f850474d6afa6b35054e722d525417f249e5bb48018fbd17239fe10d90285e22c42724cef90e8547911d
SHA1 hash: 17f2df3d06db612f7e8dcf4e42dc6876608e7baf
MD5 hash: 1b50cba6deab60060d6b0dbfbab22099
humanhash: idaho-delaware-cup-montana
File name:1b50cba6deab60060d6b0dbfbab22099.exe
Download: download sample
Signature ErbiumStealer
Create hunting rule
File size:8'576'209 bytes
First seen:2022-11-09 14:58:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:PTytGdCltt8ri4VK3jIwIFBk5qNUmwE6AgfPpZfvJU+eEgvlym+a/RdqiSZ:77C1gK3j22BmwPPzJ5eEQlyYoZ
TLSH T1D4863313FB9A9432D1A21D7259B1979AA16EF4106BC48783D3908337C872EC1D379B7B
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0cccacaece4e0f0 (12 x RedLineStealer, 2 x GCleaner, 2 x RaccoonStealer)
Reporter abuse_ch
Tags:ErbiumStealer exe


Avatar
abuse_ch
ErbiumStealer C2:
http://88.99.127.140/api.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b50cba6deab60060d6b0dbfbab22099.exe
Verdict:
Malicious activity
Analysis date:
2022-11-09 14:59:35 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/3fbec6e2-3512-4089-a16a-d6c9a37a986a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331260/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
DNS request
Running batch commands
Creating a process with a hidden window
Sending an HTTP GET request
Searching for the browser window
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Launching the default Windows debugger (dwwin.exe)
Launching the process to change the firewall settings
Creating a file in the %AppData% subdirectories
Possible injection to a system process
Unauthorized injection to a recently created process
Downloading the file
Launching a tool to kill processes
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50546/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/636bc03983b66bc0f0422a83/reports/ca801546-4110-47ab-a70e-35a973e365c4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/416f8263-2332-443a-8d87-9bcc79ccb01c
Result
Threat name:
Erbium Stealer, Fabookie, ManusCrypt, So
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109404
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Download and Execute IEX
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Erbium Stealer
Yara detected Fabookie
Yara detected ManusCrypt
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 742083 Sample: orK7h6yg5E.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 142 Snort IDS alert for network traffic 2->142 144 Malicious sample detected (through community Yara rule) 2->144 146 Antivirus detection for URL or domain 2->146 148 13 other signatures 2->148 9 orK7h6yg5E.exe 1 26 2->9         started        12 rundll32.exe 2->12         started        14 svchost.exe 2->14         started        17 10 other processes 2->17 process3 file4 88 C:\Users\user\Desktop\Resource.exe, PE32+ 9->88 dropped 90 C:\Users\user\Desktop\Proceed.exe, PE32 9->90 dropped 92 C:\Users\user\Desktop\Install.exe, PE32 9->92 dropped 94 3 other malicious files 9->94 dropped 19 File.exe 13 9->19         started        22 Continue.exe 9->22         started        25 Proceed.exe 3 9->25         started        33 4 other processes 9->33 27 rundll32.exe 12->27         started        194 System process connects to network (likely due to code injection or exploit) 14->194 196 Query firmware table information (likely to detect VMs) 17->196 198 Changes security center settings (notifications, updates, antivirus, firewall) 17->198 29 cmd.exe 17->29         started        31 cmd.exe 17->31         started        signatures5 process6 dnsIp7 150 Detected unpacking (changes PE section rights) 19->150 152 Detected unpacking (overwrites its own PE header) 19->152 154 Machine Learning detection for dropped file 19->154 168 2 other signatures 19->168 35 File.exe 19->35         started        108 grilloo.net 159.8.122.140, 443, 49718 SOFTLAYERUS United States 22->108 156 Antivirus detection for dropped file 22->156 39 cmd.exe 22->39         started        158 Injects a PE file into a foreign processes 25->158 50 2 other processes 25->50 160 Writes to foreign memory regions 27->160 162 Allocates memory in foreign processes 27->162 164 Creates a thread in another existing process (thread injection) 27->164 41 svchost.exe 27->41 injected 52 9 other processes 27->52 43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        110 148.251.234.83 HETZNER-ASDE Germany 33->110 112 star-mini.c10r.facebook.com 157.240.20.35, 443, 49702, 49704 FACEBOOKUS United States 33->112 114 5 other IPs or domains 33->114 166 Creates processes via WMI 33->166 47 Folder.exe 3 33->47         started        54 4 other processes 33->54 signatures8 process9 dnsIp10 84 C:\Windows\rss\csrss.exe, PE32 35->84 dropped 170 Drops executables to the windows directory (C:\Windows) and starts them 35->170 172 Creates an autostart registry key pointing to binary in C:\Windows 35->172 56 csrss.exe 35->56         started        61 cmd.exe 35->61         started        174 Uses netsh to modify the Windows network and firewall settings 39->174 63 powershell.exe 39->63         started        65 conhost.exe 39->65         started        176 Sets debug register (to hijack the execution of another thread) 41->176 178 Modifies the context of a thread in another process (thread injection) 41->178 67 svchost.exe 41->67         started        130 xv.yxzgamen.com 188.114.96.3, 49701, 80 CLOUDFLARENETUS European Union 47->130 132 188.114.97.3, 49703, 80 CLOUDFLARENETUS European Union 47->132 134 192.168.2.1 unknown unknown 47->134 86 C:\Users\user\AppData\Local\Temp\db.dll, PE32 47->86 dropped 69 conhost.exe 47->69         started        71 WerFault.exe 50->71         started        136 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 54->136 138 iplogger.com 148.251.234.93, 443, 49705, 49709 HETZNER-ASDE Germany 54->138 140 5 other IPs or domains 54->140 73 cmd.exe 54->73         started        75 conhost.exe 54->75         started        file11 signatures12 process13 dnsIp14 116 74.125.128.127 GOOGLEUS United States 56->116 118 162.159.134.233 CLOUDFLARENETUS United States 56->118 96 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 56->96 dropped 98 C:\Users\user\AppData\Local\Temp\...\tor.exe, PE32 56->98 dropped 100 C:\Users\user\AppData\...\tor-gencert.exe, PE32 56->100 dropped 106 15 other files (9 malicious) 56->106 dropped 180 Detected unpacking (changes PE section rights) 56->180 182 Detected unpacking (overwrites its own PE header) 56->182 77 netsh.exe 61->77         started        80 conhost.exe 61->80         started        120 62.233.57.51 DivisionWRSBE unknown 63->120 122 208.95.112.1 TUT-ASUS United States 67->122 124 172.67.161.69 CLOUDFLARENETUS United States 67->124 126 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 67->126 102 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 67->102 dropped 104 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 67->104 dropped 184 Query firmware table information (likely to detect VMs) 67->184 186 Installs new ROOT certificates 67->186 188 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 67->188 190 Tries to harvest and steal browser information (history, passwords, etc) 67->190 128 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 71->128 82 conhost.exe 73->82         started        file15 signatures16 process17 signatures18 192 Creates files in the system32 config directory 77->192
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f63dc116cf6f2bf6c2f33898d73ef0b974ed3fa9de67d840b50b35ee2d9390d9/
Threat name:
Win32.Backdoor.Manuscrypt
Create hunting rule
Status:
Malicious
First seen:
2022-11-05 18:39:56 UTC
File Type:
PE (Exe)
Extracted files:
113
AV detection:
32 of 40 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6y64cfwpn4v7nqxthcmnopxqxf2o2p5j3zt5qqfvbm264lmtsdmq._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:socelars discovery dropper evasion loader persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/221109-scqn6abdbm/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Uses the VBS compiler for execution
Blocklisted process makes network request
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
Glupteba
Process spawned unexpected child process
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/
Dropper Extraction:
https://grilloo.net/js/vendor/config_40.ps1
Unpacked files
SH256 hash:
132e7c320d58329dd4b8e6fda210f7acbcbd425313931103e39d73091d781a3f
MD5 hash:
5c4d187c49ff1823326841138adf6315
SHA1 hash:
5d06a98573ed214462b1970b965a2ee3d902d78a
Link:
https://www.unpac.me/results/8c5afeac-04f3-4caa-98cd-7e9bfda10004/
Parent samples :
81b8d673c51e5f98a4690c11f4f4f156349b2ab850733cbac4119c7c6ec3d804
ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
SH256 hash:
3ed7750585a823808ee87b66893eddfa9855a9047d7fc72743f75c59a8ba72c5
MD5 hash:
e7f0fb3bab3d4d129b836e2c50c658e3
SHA1 hash:
425ca0fcda64ceb6f7a485e43a1baad4efdbbf3c
Detections:
win_erbium_stealer_auto
Create hunting rule
Link:
https://www.unpac.me/results/8c5afeac-04f3-4caa-98cd-7e9bfda10004/
SH256 hash:
e36728e52d02af133b7c742f4c67e32c8442faf17887d7ae2d8ff197983caade
MD5 hash:
0afeeef1912a24051bf602588c0bdd92
SHA1 hash:
d37fefa066fab93c9bcc1487a77ac5bf4f36d1fe
Link:
https://www.unpac.me/results/8c5afeac-04f3-4caa-98cd-7e9bfda10004/
SH256 hash:
8b95385f071a88b76b24ab128732be15088399e1fc89e08858af1307d116ae4b
MD5 hash:
da30f0f168b51f6b9efce1e093cc7987
SHA1 hash:
3fbd705851adf4382f9cbce38850a2ca9aa97bf0
Link:
https://www.unpac.me/results/8c5afeac-04f3-4caa-98cd-7e9bfda10004/
SH256 hash:
f63dc116cf6f2bf6c2f33898d73ef0b974ed3fa9de67d840b50b35ee2d9390d9
MD5 hash:
1b50cba6deab60060d6b0dbfbab22099
SHA1 hash:
17f2df3d06db612f7e8dcf4e42dc6876608e7baf
Link:
https://www.unpac.me/results/8c5afeac-04f3-4caa-98cd-7e9bfda10004/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f63dc116cf6f2bf6c2f33898d73ef0b974ed3fa9de67d840b50b35ee2d9390d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/331260/

Comments