erbium | 94b3f2cd0a0c184c2538b257654b6bac86454cfc56fb0c55f6c407dc608de34b

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2022 21:36

Target

file.exe
Size

2.4MB
MD5

32ad48e02ef9597a3e29a77dff191446
SHA1

6daa7288df7fc8f67f22f9b2b5716642df04d43b
SHA256

94b3f2cd0a0c184c2538b257654b6bac86454cfc56fb0c55f6c407dc608de34b
SHA512

f37d438a0cd98bb217e5beaf46aab99c9bed37d456db23d91420cf5904e49959f5d0bdbdc91a781317fecc111efd37c9d68fd533a2c5a907ace77f0b60677578
SSDEEP

24576:+4YsDAbKJyb8W6YUY0IP0uuM+0SPaTd1dr2KquDHFBlGFpgILv8+UXl3RuQ5531T:+4YsDAbEyb8XTV4FBlGFpgID8lXl3h

Score

10^/10

erbium stealer

Family

erbium

77.73.133.53

Erbium
Erbium is an infostealer written in C++ and first seen in July 2022.
stealer erbium
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 4748 set thread context of 100456 4748 file.exe vbc.exe

description	pid	process	target process
PID 4748 set thread context of 100456	4748	file.exe	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

file.exe

description	pid	process	target process
PID 4748 wrote to memory of 100456	4748	file.exe	vbc.exe
PID 4748 wrote to memory of 100456	4748	file.exe	vbc.exe
PID 4748 wrote to memory of 100456	4748	file.exe	vbc.exe
PID 4748 wrote to memory of 100456	4748	file.exe	vbc.exe
PID 4748 wrote to memory of 100456	4748	file.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:100456

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/100456-132-0x0000000000000000-mapping.dmp

Download
memory/100456-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/100456-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download