MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ErbiumStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c
SHA3-384 hash: 37e0f86212ad53c0f80efbcfe845bd718402b167e0209adb525f98fa0594861c6844d6632c4ed6ef4efbde68a2a39a2d
SHA1 hash: 3ba1d0aac10a41519610cf9166ab39b4c092d431
MD5 hash: 36c48ba4f231388a5f08fae2df0cec58
humanhash: shade-ack-moon-south
File name:mamamiya137_ru_.bin
Download: download sample
Signature ErbiumStealer
Create hunting rule
File size:2'877'952 bytes
First seen:2022-09-08 23:52:26 UTC
Last seen:2022-09-09 00:44:52 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c0d46b7ff0e53996feb53e4ba78f033e (18 x ErbiumStealer)
ssdeep 49152:Jzl1rpbUrqvv0v2rQVt8nqwI7lOOYc92ek:P1Kqvv07noI7lOOYcX
Threatray 28 similar samples on MalwareBazaar
TLSH T1FCD58E31E643D061D9C524B0EA7DBFF26C38992487B860F7E6E40CAAA5254D1733FB52
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter r3dbU7z
Tags:dll ErbiumStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308870/
Detection(s):
SecuriteInfo.com.Variant.Zusy.436531.17933.23382.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware shell32.dll zusy
Link:
https://www.filescan.io/uploads/631a80dd1d4a849311e1eddf/reports/52d8be35-175a-492c-bf6d-a109180c393a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7031d5d6-5893-4d10-8d2f-01251f115cbd
Result
Threat name:
Erbium Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067488
Signature
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Yara detected Erbium Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c/
Threat name:
Win32.Trojan.ErbiumStealer
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 23:53:12 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
17 of 40 (42.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qz62lziuefuwpfxox36ngjjl5qe2kf7hpzmwk6jdboqal4j7eoa._file
Verdict:
malicious
Similar samples:
070baa9e826044343063204cd804e84a928db2543f6fa6aa14de7d00001e258f
ErbiumStealer
14b4deb1ca7fbef93f431a1ab9fd4ce58b1d20c03342e359f3ff3734e116afd7
ErbiumStealer
19155af0ca359b2e31ee4d84e2792e5f0e26bc3f144255123cdb7231a5326cda
ErbiumStealer
27dbca88a1b01b220ca881a2636f539a1dd5048d1e5e2948e10185ca96edb36d
ErbiumStealer
49b1767e5f5c128884604182bab46c5c7aeae9c7d6e5316900d32768a577dcd1
ErbiumStealer
49b8a5f3abc91ff83f49bef5cb1180056d79d39fb9079005fdab65fd0e7f13d0
ErbiumStealer
a55168b14de2d0745e56d605ccbb30a951fbd4395f1747479d8df623ac550a8f
ErbiumStealer
acb94e8c6914b5cd410685acbf0e999446f7da45047d16a918b93519a3c67ff7
ErbiumStealer
cd83d5f6eec9731fbc6c1ce5eee962f82bcf881a63af1f478e6a097760f758df
ErbiumStealer
feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9
ErbiumStealer
+ 18 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner spyware stealer upx
Link:
https://tria.ge/reports/220908-3xahsagbe4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Stops running service(s)
UPX packed file
XMRig Miner payload
Modifies security service
xmrig
Unpacked files
SH256 hash:
fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c
MD5 hash:
36c48ba4f231388a5f08fae2df0cec58
SHA1 hash:
3ba1d0aac10a41519610cf9166ab39b4c092d431
Link:
https://www.unpac.me/results/4c29984e-1c6a-4ee2-8607-da0a9114ac24/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc33ed2f28a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Erbium_Stealer_Obfuscated
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Erbium Stealer in its obfuscated format
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ErbiumStealer

DLL dll fc33ed2f28a10b4b3cb775f7e699295f604d28bf3bf2cb2bc9185d002f89f91c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/308870/

Comments