erbium | a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2022, 21:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.4MB
MD5

188a93699195c143a991f84c5a036ba0
SHA1

38b5afd259195428a1d2fb714d6ad33090d2d111
SHA256

a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f
SHA512

cfaffb26b838bb8b9416eff5f3b3bf6f737687a7620186345e356d5fdca3bf5db568f464fba79ffe3fc3a0304d6a92df86b85d6bd42aeaa7cc5575f982d1bb78
SSDEEP

24576:4aAtBN3NNoM0JYhYvIF2X0MO2ls0dG1Hrj53I+TS1/a4jLOxJ79WSS1l3RuQ5533:4aAPpNNoMZXIOS1/a4jY/il3z

Score

10^/10

erbium stealer

Malware Config

Extracted

Family

erbium

77.73.133.53

Signatures

Erbium
Erbium is an infostealer written in C++ and first seen in July 2022.
stealer erbium
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4748 set thread context of 100384	4748	file.exe	81

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 100384	4748	file.exe	81
PID 4748 wrote to memory of 100384	4748	file.exe	81
PID 4748 wrote to memory of 100384	4748	file.exe	81
PID 4748 wrote to memory of 100384	4748	file.exe	81
PID 4748 wrote to memory of 100384	4748	file.exe	81

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:100384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/100384-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/100384-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download