erbium | 2180293a0c0b7340f85543d453c10e8f9a059b69a530428fe1858e92a7fa63c3

Resubmissions

13-10-2022 16:27

221013-tx24csdcb6 10

13-10-2022 16:20

221013-ttjgvachdp 10

Analysis

max time kernel
44s
max time network
74s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13-10-2022 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CHEESE.exe
Size

2.4MB
MD5

12ef571baf523c098fc4e96bb3759c21
SHA1

b476dd2bed415fbbc9c96e4a33160d12bf8413bb
SHA256

2180293a0c0b7340f85543d453c10e8f9a059b69a530428fe1858e92a7fa63c3
SHA512

e4e2354ee21ede5f3a61c00ac9766736e55e23bd3577b5bc41a7f493b8143159ca8d771fad7af4ee4b7fd56be450b82651f0ce87b82e873119e9f1655ac7249a
SSDEEP

24576:DYof7x+kxP2gEDiYbYXQZCsuMUTSyzdvi1ucvgDfR1JJMK3LTiF+cTl3RuQ5531C:kozx+kxugEaYu1JJMK3n/al3Q

Score

10^/10

erbium stealer

Malware Config

Signatures

Erbium
Erbium is an infostealer written in C++ and first seen in July 2022.
stealer erbium
Downloads MZ/PE file
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 98688	1368	CHEESE.exe	27

Program crash 1 IoCs

pid	pid_target	Process	procid_target
98800	98688	WerFault.exe	27

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 98688	1368	CHEESE.exe	27
PID 1368 wrote to memory of 98688	1368	CHEESE.exe	27
PID 1368 wrote to memory of 98688	1368	CHEESE.exe	27
PID 1368 wrote to memory of 98688	1368	CHEESE.exe	27
PID 1368 wrote to memory of 98688	1368	CHEESE.exe	27
PID 1368 wrote to memory of 98688	1368	CHEESE.exe	27
PID 98688 wrote to memory of 98800	98688	vbc.exe	28
PID 98688 wrote to memory of 98800	98688	vbc.exe	28
PID 98688 wrote to memory of 98800	98688	vbc.exe	28
PID 98688 wrote to memory of 98800	98688	vbc.exe	28

C:\Users\Admin\AppData\Local\Temp\CHEESE.exe
"C:\Users\Admin\AppData\Local\Temp\CHEESE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:98688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 98688 -s 312
    3⤵
    - Program crash
    PID:98800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/98688-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/98688-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/98688-63-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/98688-64-0x0000000006D30000-0x0000000006FF4000-memory.dmp

Filesize
2.8MB

Download
memory/98688-66-0x0000000006D30000-0x0000000006FF4000-memory.dmp

Filesize
2.8MB

Download
memory/98688-68-0x0000000006D30000-0x0000000006FF4000-memory.dmp

Filesize
2.8MB

Download
memory/98688-70-0x0000000006D30000-0x0000000006FF4000-memory.dmp

Filesize
2.8MB

Download
memory/98688-72-0x0000000006D30000-0x0000000006FF4000-memory.dmp

Filesize
2.8MB

Download
memory/98688-73-0x0000000006D30000-0x0000000006FF4000-memory.dmp

Filesize
2.8MB

Download