erbium | ef41251a07fff8f963c31cd23674eeb13871a2ac66d279e0bbacd1412473f3ba

Analysis

max time kernel
37s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-11-2022 19:48

Target

Setup1.3/Setup.exe
Size

219KB
MD5

6aad758680ee8382509078b8d3313b23
SHA1

9663d3386c557637864082ff3572de53acc223b0
SHA256

46fb066036bdb30458f53f50dae74071ca3c92d3b5b80af2c2033514691a820e
SHA512

4d021e3880f183990213346f62dbae75cfd42e22cbe86d99d715b6f2dac5224bbc74626ee5707bb70c8b19f64f843ac8a0b0bfefbf3265a72086af6a572ec1dd
SSDEEP

6144:s71Yq5f9cbMee66SCwfYXbyLuBzMAOu0CExi:s71Yw9cbMee667LMcbEx

Score

10^/10

erbium stealer

Family

erbium

http://77.73.133.53/cloud/index.php

Erbium
Erbium is an infostealer written in C++ and first seen in July 2022.
stealer erbium
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 95928	1928	Setup.exe	27

Program crash 1 IoCs

pid	pid_target	Process	procid_target
95972	1928	WerFault.exe	25

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 95928	1928	Setup.exe	27
PID 1928 wrote to memory of 95928	1928	Setup.exe	27
PID 1928 wrote to memory of 95928	1928	Setup.exe	27
PID 1928 wrote to memory of 95928	1928	Setup.exe	27
PID 1928 wrote to memory of 95928	1928	Setup.exe	27
PID 1928 wrote to memory of 95928	1928	Setup.exe	27
PID 1928 wrote to memory of 95928	1928	Setup.exe	27
PID 1928 wrote to memory of 95928	1928	Setup.exe	27
PID 1928 wrote to memory of 95928	1928	Setup.exe	27
PID 1928 wrote to memory of 95972	1928	Setup.exe	28
PID 1928 wrote to memory of 95972	1928	Setup.exe	28
PID 1928 wrote to memory of 95972	1928	Setup.exe	28
PID 1928 wrote to memory of 95972	1928	Setup.exe	28
PID 1928 wrote to memory of 95972	1928	Setup.exe	28
PID 1928 wrote to memory of 95972	1928	Setup.exe	28
PID 1928 wrote to memory of 95972	1928	Setup.exe	28

C:\Users\Admin\AppData\Local\Temp\Setup1.3\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup1.3\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:95928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 94820
  2⤵
  - Program crash
  PID:95972

memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/95928-67-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/95928-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/95928-64-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/95928-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/95928-68-0x0000000006B30000-0x0000000006DF4000-memory.dmp

Filesize
2.8MB

Download
memory/95928-70-0x0000000006B30000-0x0000000006DF4000-memory.dmp

Filesize
2.8MB

Download
memory/95928-72-0x0000000006B30000-0x0000000006DF4000-memory.dmp

Filesize
2.8MB

Download
memory/95928-74-0x0000000006B30000-0x0000000006DF4000-memory.dmp

Filesize
2.8MB

Download
memory/95928-76-0x0000000006B30000-0x0000000006DF4000-memory.dmp

Filesize
2.8MB

Download
memory/95928-77-0x0000000006B30000-0x0000000006DF4000-memory.dmp

Filesize
2.8MB

Download
memory/95928-79-0x0000000006B30000-0x0000000006DF4000-memory.dmp

Filesize
2.8MB

Download