erbium | a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-12-2022 21:37

Target

file.exe
Size

2.4MB
MD5

188a93699195c143a991f84c5a036ba0
SHA1

38b5afd259195428a1d2fb714d6ad33090d2d111
SHA256

a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f
SHA512

cfaffb26b838bb8b9416eff5f3b3bf6f737687a7620186345e356d5fdca3bf5db568f464fba79ffe3fc3a0304d6a92df86b85d6bd42aeaa7cc5575f982d1bb78
SSDEEP

24576:4aAtBN3NNoM0JYhYvIF2X0MO2ls0dG1Hrj53I+TS1/a4jLOxJ79WSS1l3RuQ5533:4aAPpNNoMZXIOS1/a4jY/il3z

Score

10^/10

erbium stealer

Family

erbium

77.73.133.53

Erbium
Erbium is an infostealer written in C++ and first seen in July 2022.
stealer erbium
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 1504 set thread context of 98392 1504 file.exe vbc.exe

description	pid	process	target process
PID 1504 set thread context of 98392	1504	file.exe	vbc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

file.exe

description	pid	process	target process
PID 1504 wrote to memory of 98392	1504	file.exe	vbc.exe
PID 1504 wrote to memory of 98392	1504	file.exe	vbc.exe
PID 1504 wrote to memory of 98392	1504	file.exe	vbc.exe
PID 1504 wrote to memory of 98392	1504	file.exe	vbc.exe
PID 1504 wrote to memory of 98392	1504	file.exe	vbc.exe
PID 1504 wrote to memory of 98392	1504	file.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:98392

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/98392-54-0x0000000000080000-0x0000000000085000-memory.dmp

Filesize
20KB

Download
memory/98392-56-0x0000000000080000-0x0000000000085000-memory.dmp

Filesize
20KB

Download
memory/98392-62-0x00000000000816F0-mapping.dmp

Download
memory/98392-63-0x0000000000080000-0x0000000000085000-memory.dmp

Filesize
20KB

Download