erbium | 12f14e1af4c6952b968d05f51c08dd1b9e170d072aee4fd073510c55d54eba27

Resubmissions

14-10-2022 06:08

221014-gwce4abbe6 7

14-10-2022 06:00

221014-gqlrksahdk 10

Analysis

max time kernel
112s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2022 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CHEESE.exe
Size

2.4MB
MD5

12ef571baf523c098fc4e96bb3759c21
SHA1

b476dd2bed415fbbc9c96e4a33160d12bf8413bb
SHA256

2180293a0c0b7340f85543d453c10e8f9a059b69a530428fe1858e92a7fa63c3
SHA512

e4e2354ee21ede5f3a61c00ac9766736e55e23bd3577b5bc41a7f493b8143159ca8d771fad7af4ee4b7fd56be450b82651f0ce87b82e873119e9f1655ac7249a
SSDEEP

24576:DYof7x+kxP2gEDiYbYXQZCsuMUTSyzdvi1ucvgDfR1JJMK3LTiF+cTl3RuQ5531C:kozx+kxugEaYu1JJMK3n/al3Q

Score

10^/10

erbium stealer

Malware Config

Extracted

Family

erbium

http://77.73.133.53/cloud/index.php

Signatures

Erbium
Erbium is an infostealer written in C++ and first seen in July 2022.
stealer erbium
Downloads MZ/PE file
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4908 set thread context of 100604	4908	CHEESE.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
100920	100604	WerFault.exe	83

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 100604	4908	CHEESE.exe	83
PID 4908 wrote to memory of 100604	4908	CHEESE.exe	83
PID 4908 wrote to memory of 100604	4908	CHEESE.exe	83
PID 4908 wrote to memory of 100604	4908	CHEESE.exe	83
PID 4908 wrote to memory of 100604	4908	CHEESE.exe	83

C:\Users\Admin\AppData\Local\Temp\CHEESE.exe
"C:\Users\Admin\AppData\Local\Temp\CHEESE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:100604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 100604 -s 956
    3⤵
    - Program crash
    PID:100920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 100604 -ip 100604
1⤵
PID:100888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/100604-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/100604-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/100604-140-0x0000000005700000-0x00000000059C4000-memory.dmp

Filesize
2.8MB

Download
memory/100604-141-0x0000000005700000-0x00000000059C4000-memory.dmp

Filesize
2.8MB

Download
memory/100604-142-0x0000000005700000-0x00000000059C4000-memory.dmp

Filesize
2.8MB

Download