MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ErbiumStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9
SHA3-384 hash: a312be2c0377c48d42c35d610cdf13399d628c4ee6e9602075256102059c6b713db00b84162103200bd852c50a41a7f6
SHA1 hash: f3659bfc4604aa588a079dbc6b3b5c934ac5872c
MD5 hash: 6b74547f37e8c088ffa81dab867b241e
humanhash: india-steak-jersey-mississippi
File name:6b74547f37e8c088ffa81dab867b241e.dll
Download: download sample
Signature ErbiumStealer
Create hunting rule
File size:2'852'864 bytes
First seen:2022-09-06 05:27:09 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c0d46b7ff0e53996feb53e4ba78f033e (18 x ErbiumStealer)
ssdeep 49152:kA9/7pbsk7LDmCoOfDQ9nn1+72rMHmHrql4orYf:z/HfDQ9nAFHmHrql4o
Threatray 22 similar samples on MalwareBazaar
TLSH T1EFD57C22E6574071CEC516B4A23DAFF36C3C99144BB590F7A7F41CB9362A4D1633AB82
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:dll ErbiumStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308026/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar greyware zusy
Link:
https://www.filescan.io/uploads/6316daddb00f73916cbdcac7/reports/d544b38a-1120-45c6-a082-919abe8df80d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cd698171-b6ea-495d-92a6-c667e48ace32
Result
Threat name:
Erbium Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1065368
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Erbium Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 00:58:42 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
13 of 40 (32.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=722jrwa6ffnajy2u3b4tn4pt63dfg7yv7ri6hwb3zp2jqddtu7eq._file
Verdict:
malicious
Similar samples:
03ea60a4f8df4d94d2f60eb4c1210d5148a1839e63d2c6f7b3a5a1e7e84cafc7
ErbiumStealer
070baa9e826044343063204cd804e84a928db2543f6fa6aa14de7d00001e258f
ErbiumStealer
1093c1e9fca0a4c5534aae05d5c75f79f8a60dc2ac1583ac901858b6f21b2afc
ErbiumStealer
14b4deb1ca7fbef93f431a1ab9fd4ce58b1d20c03342e359f3ff3734e116afd7
ErbiumStealer
19155af0ca359b2e31ee4d84e2792e5f0e26bc3f144255123cdb7231a5326cda
ErbiumStealer
27dbca88a1b01b220ca881a2636f539a1dd5048d1e5e2948e10185ca96edb36d
ErbiumStealer
cd83d5f6eec9731fbc6c1ce5eee962f82bcf881a63af1f478e6a097760f758df
ErbiumStealer
f1797eb5cfa2a5f644fdb9033ea1829d9612bc89848403b499233dabc16d92c8
ErbiumStealer
f229ca296345afadd9a7f0f4b9bfb45a71468631e07315502b31eadbe893db6a
ErbiumStealer
fd3d08972c19c851242c0e83cdcc3bca60dfcd5d2a92c64872862266a8a9e6ba
ErbiumStealer
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220906-f51cvachbk/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Blocklisted process makes network request
Unpacked files
SH256 hash:
feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9
MD5 hash:
6b74547f37e8c088ffa81dab867b241e
SHA1 hash:
f3659bfc4604aa588a079dbc6b3b5c934ac5872c
Link:
https://www.unpac.me/results/4fe64246-3281-46c7-a658-7dd84f6959cf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/feb498d81e29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/feb498d81e295a04e354d87936f1f3f6c6537f15fc51e3d83bcbf4980c73a7c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308026/

Comments