erbium | 94b3f2cd0a0c184c2538b257654b6bac86454cfc56fb0c55f6c407dc608de34b

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22/12/2022, 21:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.4MB
MD5

32ad48e02ef9597a3e29a77dff191446
SHA1

6daa7288df7fc8f67f22f9b2b5716642df04d43b
SHA256

94b3f2cd0a0c184c2538b257654b6bac86454cfc56fb0c55f6c407dc608de34b
SHA512

f37d438a0cd98bb217e5beaf46aab99c9bed37d456db23d91420cf5904e49959f5d0bdbdc91a781317fecc111efd37c9d68fd533a2c5a907ace77f0b60677578
SSDEEP

24576:+4YsDAbKJyb8W6YUY0IP0uuM+0SPaTd1dr2KquDHFBlGFpgILv8+UXl3RuQ5531T:+4YsDAbEyb8XTV4FBlGFpgID8lXl3h

Score

10^/10

erbium stealer

Malware Config

Extracted

Family

erbium

77.73.133.53

Signatures

Erbium
Erbium is an infostealer written in C++ and first seen in July 2022.
stealer erbium
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 98400	1404	file.exe	29

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 98400	1404	file.exe	29
PID 1404 wrote to memory of 98400	1404	file.exe	29
PID 1404 wrote to memory of 98400	1404	file.exe	29
PID 1404 wrote to memory of 98400	1404	file.exe	29
PID 1404 wrote to memory of 98400	1404	file.exe	29
PID 1404 wrote to memory of 98400	1404	file.exe	29

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:98400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/98400-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/98400-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/98400-63-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download