Overview

overview

10

Static

static

7

exe/2323.exe

windows7-x64

10

exe/2323.exe

windows10-2004-x64

10

exe/FIImora_FuII.exe

windows7-x64

10

exe/FIImora_FuII.exe

windows10-2004-x64

10

exe/fakehack.exe

windows7-x64

10

exe/fakehack.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    exe/fakehack.exe

  • Size

    2.9MB

  • MD5

    3b96efee02ac3bca2d195b230efc0d85

  • SHA1

    5a2ee976f377c59cba519ac6a81ac13c43f3ea3d

  • SHA256

    04e70fcec6839e00cfe5b4d34f44d97a17385a61d63dd2416ad1141c30cd5dfe

  • SHA512

    3bec8bf57dd99d0a31d720f14e61bc33d9c0f77ee65ccf040eb2bfbc9ff312b2d7354b9c358fa618d93ae39a3059543d4d5e36441523afaa3e96a9897a72fe54

  • SSDEEP

    49152:PC8iliyOZRp+jqdichvEo8SfspRxHHRJDx76f4oIiburazgz/KMiNERpzWy2N:P/L/+jWichcIfsti4Q4Ug7LiNGph2N

Score
10/10
erbiumdiscoveryevasionstealerthemidatrojan

Malware Config

Extracted

Family

erbium

C2

77.73.133.53

Signatures

  • Erbium

    Erbium is an infostealer written in C++ and first seen in July 2022.

    stealererbium
  • Erbium family
    erbium
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\exe\fakehack.exe
    "C:\Users\Admin\AppData\Local\Temp\exe\fakehack.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/528-0-0x0000000000240000-0x00000000009B6000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/528-1-0x0000000000240000-0x00000000009B6000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/528-3-0x0000000000240000-0x00000000009B6000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/528-2-0x0000000000240000-0x00000000009B6000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/528-4-0x0000000077B40000-0x0000000077B42000-memory.dmp

    Filesize

    8KB

    Download

  • memory/528-6-0x0000000000240000-0x00000000009B6000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/528-5-0x0000000000240000-0x00000000009B6000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/528-7-0x0000000000240000-0x00000000009B6000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/528-9-0x0000000000240000-0x00000000009B6000-memory.dmp

    Filesize

    7.5MB

    Download