erbium | a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f

Analysis

max time kernel
64s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2022 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe
Size

2.4MB
MD5

188a93699195c143a991f84c5a036ba0
SHA1

38b5afd259195428a1d2fb714d6ad33090d2d111
SHA256

a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f
SHA512

cfaffb26b838bb8b9416eff5f3b3bf6f737687a7620186345e356d5fdca3bf5db568f464fba79ffe3fc3a0304d6a92df86b85d6bd42aeaa7cc5575f982d1bb78
SSDEEP

24576:4aAtBN3NNoM0JYhYvIF2X0MO2ls0dG1Hrj53I+TS1/a4jLOxJ79WSS1l3RuQ5533:4aAPpNNoMZXIOS1/a4jY/il3z

Score

10^/10

erbium stealer

Malware Config

Extracted

Family

erbium

77.73.133.53

Signatures

Erbium
Erbium is an infostealer written in C++ and first seen in July 2022.
stealer erbium
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe

description	pid	process	target process
PID 3272 set thread context of 100388	3272	a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe

description	pid	process	target process
PID 3272 wrote to memory of 100388	3272	a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe	vbc.exe
PID 3272 wrote to memory of 100388	3272	a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe	vbc.exe
PID 3272 wrote to memory of 100388	3272	a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe	vbc.exe
PID 3272 wrote to memory of 100388	3272	a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe	vbc.exe
PID 3272 wrote to memory of 100388	3272	a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe
"C:\Users\Admin\AppData\Local\Temp\a00f24ba8860d758a625918bcf4c863ffa867aff15f8f814b4826ee67254656f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:100388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/100388-132-0x0000000000000000-mapping.dmp

Download
memory/100388-133-0x0000000000990000-0x0000000000995000-memory.dmp

Filesize
20KB

Download
memory/100388-139-0x0000000000990000-0x0000000000995000-memory.dmp

Filesize
20KB

Download