Edit tour

Windows Analysis Report
478fukupP9.dll

Overview

General Information

Sample Name:	478fukupP9.dll
Analysis ID:	728621
MD5:	800619c7ef9baa08d8b9166afc95ce75
SHA1:	e97b1c9da42e67666a46ac930187695d3987d1a5
SHA256:	b8490732ccb34fdd76910ee15aa3eced95ef445f2ab287d45181f98f44742df1
Tags:	dllErbiumStealer
Infos:

Detection

Erbium Stealer

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Erbium Stealer

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Yara signature match

One or more processes crash

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Contains functionality to detect virtual machines (STR)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

Contains functionality to detect virtual machines (SIDT)

Contains functionality to detect virtual machines (SGDT)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2788 cmdline: loaddll32.exe "C:\Users\user\Desktop\478fukupP9.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)

conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2920 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4908 cmdline: rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Erbium Stealer

{"C2 list": ["http://77.73.133.53/cloud/index.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
478fukupP9.dll	JoeSecurity_ErbiumStealer	Yara detected Erbium Stealer	Joe Security
478fukupP9.dll	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x27734b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.254490404.0000000010255000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2354b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2354b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000003.00000000.242990269.0000000010255000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2354b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2354b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000003.00000002.254160360.0000000010001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_ErbiumStealer	Yara detected Erbium Stealer	Joe Security
00000003.00000000.242673427.0000000010001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_ErbiumStealer	Yara detected Erbium Stealer	Joe Security
00000003.00000000.243200020.0000000010001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_ErbiumStealer	Yara detected Erbium Stealer	Joe Security
00000000.00000002.241220841.0000000010001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_ErbiumStealer	Yara detected Erbium Stealer	Joe Security
Process Memory Space: loaddll32.exe PID: 2788	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x24c2d:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x24d1f:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: rundll32.exe PID: 4908	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x26b48:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x26c3a:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.rundll32.exe.10000000.1.unpack	JoeSecurity_ErbiumStealer	Yara detected Erbium Stealer	Joe Security
3.0.rundll32.exe.10000000.1.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x27734b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.loaddll32.exe.10000000.0.unpack	JoeSecurity_ErbiumStealer	Yara detected Erbium Stealer	Joe Security
0.2.loaddll32.exe.10000000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x27734b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
3.2.rundll32.exe.10000000.0.unpack	JoeSecurity_ErbiumStealer	Yara detected Erbium Stealer	Joe Security
3.2.rundll32.exe.10000000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x27734b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
3.0.rundll32.exe.10000000.0.unpack	JoeSecurity_ErbiumStealer	Yara detected Erbium Stealer	Joe Security
3.0.rundll32.exe.10000000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x27734b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 3 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://77.73.133.53/cloud/index.php

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://77.73.133.53/cloud/index.php

Virustotal: Detection: 10%

Perma Link

Source: 0.2.loaddll32.exe.10000000.0.unpack

Malware Configuration Extractor: Erbium Stealer {"C2 list": ["http://77.73.133.53/cloud/index.php"]}

Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://77.73.133.53/cloud/index.php

Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dll	String found in binary or memory: http://www.winimage.com/zLibDll
Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dll	String found in binary or memory: http://www.winimage.com/zLibDll1.2.11.1-motley.z%02d...././///.//../6666666666666666jjjjjjjjjjjjjjjj
Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dll	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dll	String found in binary or memory: https://curl.se/docs/hsts.html
Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dll	String found in binary or memory: https://curl.se/docs/http-cookies.html

Source: loaddll32.exe, 00000000.00000002.241205230.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 478fukupP9.dll, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 3.0.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 3.0.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000003.00000002.254490404.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000003.00000000.242990269.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: loaddll32.exe PID: 2788, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: rundll32.exe PID: 4908, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: 478fukupP9.dll, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 3.0.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 3.0.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000003.00000002.254490404.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000003.00000000.242990269.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: loaddll32.exe PID: 2788, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: rundll32.exe PID: 4908, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 640

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_101A9B30

0_2_101A9B30

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\478fukupP9.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 640
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4908

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C69.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.winDLL@7/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

Source: 478fukupP9.dll

Static file information: File size 2877955 > 1048576

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_010FAD48 push eax; iretd

3_2_010FAD49

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_010FA1C0 str word ptr [eax+010E3C30h]

3_2_010FA1C0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_010F08C4 sidt fword ptr [ecx+edx*4]

3_2_010F08C4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_010F08C4 sgdt fword ptr [ecx]

3_2_010F08C4

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1

Jump to behavior

Stealing of Sensitive Information

Yara detected Erbium Stealer

Source: Yara match	File source: 478fukupP9.dll, type: SAMPLE
Source: Yara match	File source: 3.0.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.254160360.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.242673427.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.243200020.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241220841.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Erbium Stealer

Source: Yara match	File source: 478fukupP9.dll, type: SAMPLE
Source: Yara match	File source: 3.0.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.254160360.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.242673427.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.243200020.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241220841.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	4 Virtualization/Sandbox Evasion	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Rundll32	LSASS Memory	4 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://curl.se/docs/hsts.html	0%	URL Reputation	safe
https://curl.se/docs/alt-svc.html	0%	URL Reputation	safe
https://curl.se/docs/http-cookies.html	0%	URL Reputation	safe
http://77.73.133.53/cloud/index.php	10%	Virustotal		Browse
http://77.73.133.53/cloud/index.php	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://77.73.133.53/cloud/index.php	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dll	false	URL Reputation: safe	unknown
http://www.winimage.com/zLibDll	loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dll	false		high
https://curl.se/docs/alt-svc.html	loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dll	false	URL Reputation: safe	unknown
https://curl.se/docs/http-cookies.html	loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dll	false	URL Reputation: safe	unknown
http://www.winimage.com/zLibDll1.2.11.1-motley.z%02d...././///.//../6666666666666666jjjjjjjjjjjjjjjj	loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dll	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	728621
Start date and time:	2022-10-23 19:49:37 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	478fukupP9.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.winDLL@7/4@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.172
Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdeus07.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
Execution Graph export aborted for target loaddll32.exe, PID 2788 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4908 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
19:50:38	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7bde5861e98b2ac3cc37e329f3101f62f0fff922_82810a17_1749665c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8868746115580167
Encrypted:	false
SSDEEP:	192:H/kiPl0oXJrHBUZMX4jed+w/u7swS274ItWc:MiTXlBUZMX4jed/u7swX4ItWc
MD5:	69FDF1CED78888C96EF275AD3D13FBA4
SHA1:	A1C95A61CBC1BC87E1524AB65B2A3D69BBD8DAFD
SHA-256:	AF80A1E8C5920C53B02D809037425CF23AD157F77D1846723CCC271BF57AC7DC
SHA-512:	28AB0365851FC37DB0DAECC9A849A0AA2941AF5D06769E88FD7DF4B5D77DAE6C1C2047F50FC89D2756B4F20B45524B3AE5B91F4052678294D93065E5016B8C8C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.1.0.5.3.4.3.5.9.4.2.5.9.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.1.0.5.3.4.3.7.2.3.9.4.6.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.1.c.7.4.a.7.-.d.0.4.d.-.4.0.5.a.-.a.5.b.7.-.5.2.2.b.2.5.1.b.b.7.b.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.f.4.1.5.5.6.-.0.4.1.a.-.4.a.a.e.-.b.0.2.d.-.b.0.1.2.d.4.c.0.8.5.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.2.c.-.0.0.0.1.-.0.0.1.a.-.6.8.4.3.-.5.9.6.2.5.3.e.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C69.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 24 02:50:36 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	38682
Entropy (8bit):	2.326849442393715
Encrypted:	false
SSDEEP:	192:OPe3Qh7SO5Skb0XRjUJqfIshJa6a7EG4Qn1RPSrxqHdnzQR:r4p5Lb0yJiIsba6a7EGX1RPJd8R
MD5:	FB49FDC002B342C19D97FC796D6B091D
SHA1:	9D775639F6247013D7FFC53797A0C236B2F09921
SHA-256:	964534CD82F7734EB8805B15654199D0ED112677384FC1DF808C8A06F71E7E1B
SHA-512:	C61B238D6CDBC4A96454A1B62E3E3644256D7B899D93A232FAA1316CFEA4F9DE70780A092E72784B61168E94A47AA8305BE7004572EA51F4E46AEDF16F4B909C
Malicious:	false
Preview:	MDMP....... .......\|.Uc............d...........P...l...........Z(..........T.......8...........T................}...........................................................................................U...........B......@.......GenuineIntelW...........T.......,...x.Uc.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EFA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8250
Entropy (8bit):	3.6911575794643308
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiQ/6Dq3p6YSu6gRgmfTkn4SfnPCprQ89bdvsfrfm:RrlsNiI6e3p6Y762gmfTk4SCdUf6
MD5:	50E6FDA7624C00351C604F516F31C02A
SHA1:	1B4C5B2215DA83424893C85BFFD03E35C29B2AF2
SHA-256:	3CFA72CA1212F974E498D9D8DC74BB182AB6CD55D99103A1536D447D44670951
SHA-512:	159A557713F7D3CBFC57AF5A5B285714E1E7B15AAD15888DB32A24DD64EC67E691D0A414D514391F911F2D04F7C00CBE1690B29720D15AB3B66B4D6A6D5614CD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FB7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.451897131342143
Encrypted:	false
SSDEEP:	48:cvIwSD8zsBJgtWI9nPWgc8sqYjk8fm8M4JCdsfFKO+q8/5C4SrSBd:uITfTsegrsqYNJbFDWBd
MD5:	E570DF4400CF9D0A4E23C40BA825FB2F
SHA1:	7FBA1C2C418C984C48AA9596AEECFE715D87C07A
SHA-256:	326FF5481399EFB29C7852406C3B5E4BC26C22C2F5BB5E465D102835271CDDD8
SHA-512:	CA141C375E2EECCF6EF61D22CED11848A509233B3816AC26660F2840384052E5D080E217DAF46FAA946D29D0C4C2AB695422B327FBEE147023925C56FCF1598F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1748881" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.858540221447988
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	478fukupP9.dll
File size:	2877955
MD5:	800619c7ef9baa08d8b9166afc95ce75
SHA1:	e97b1c9da42e67666a46ac930187695d3987d1a5
SHA256:	b8490732ccb34fdd76910ee15aa3eced95ef445f2ab287d45181f98f44742df1
SHA512:	abe650bc340f6c1dc60fbc0296c0678cefa9249cbeb2b315ea02565d78c39db3c31679190fe1012e70a7a992cc47fc6053926b928c945b6c9d50f24deb4aa61f
SSDEEP:	49152:Jzl1rpbUrqvv0v2rQVt8nqwI7lOOYcS2ek:P1Kqvv07noI7lOOYcW
TLSH:	74D58E31E643D061D9C524B0EA7DBFF26C38992487B860F7E6E40CAAA5254D1733FB52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d;.4 Zig Zig Zig.(jf4Zig.(lf.ZigB".g&ZigB"mf1ZigB"jf9Zig./lf.Zig./mf.Zig.(mf9ZigB"lf{Zig.(hf9Zig Zhgx[igA `f.ZigA .g!ZigA kf!Zi

File Icon


Icon Hash:	74f0e4ecccdce0e4

Target ID:	0
Start time:	19:50:32
Start date:	23/10/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\478fukupP9.dll"
Imagebase:	0xf50000
File size:	116736 bytes
MD5 hash:	1F562FBF37040EC6C43C8D5EF619EA39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_ErbiumStealer, Description: Yara detected Erbium Stealer, Source: 00000000.00000002.241220841.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	1
Start time:	19:50:32
Start date:	23/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	19:50:32
Start date:	23/10/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1
Imagebase:	0xa60000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	19:50:32
Start date:	23/10/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1
Imagebase:	0x12a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000003.00000002.254490404.0000000010255000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000003.00000000.242990269.0000000010255000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_ErbiumStealer, Description: Yara detected Erbium Stealer, Source: 00000003.00000002.254160360.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ErbiumStealer, Description: Yara detected Erbium Stealer, Source: 00000003.00000000.242673427.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ErbiumStealer, Description: Yara detected Erbium Stealer, Source: 00000003.00000000.243200020.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	19:50:34
Start date:	23/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 640
Imagebase:	0x170000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Function 101A9B30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241220841.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.241216579.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241658014.0000000010254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241759726.00000000102A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241769602.00000000102AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd15ee638b582ee14530fa427e98ee50685003dcf58a085d4fb317dc9662afaf
Instruction ID: e513a77291d1a912a241f52ac55f4eab41f1cec5b7249da9ed992de3a52c986b
Opcode Fuzzy Hash: bd15ee638b582ee14530fa427e98ee50685003dcf58a085d4fb317dc9662afaf
Instruction Fuzzy Hash: B851CCB4C00249EFCB48CF99D6919AEFBB2FB49300F2085AAD451AB350D734AB41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 101AC287 Relevance: 20.1, Strings: 16, Instructions: 54COMMON

Download Yara Rule

Strings

regex_error(error_complexity): The complexity of an attempted match against a regular expression exceeded a pre-set level., xrefs: 101AC2E6
regex_error(error_ctype): The expression contained an invalid character class name., xrefs: 101AC2A0
regex_error(error_paren): The expression contained mismatched ( and )., xrefs: 101AC2BC
regex_error(error_brace): The expression contained mismatched { and }., xrefs: 101AC2C3
regex_error(error_space): There was insufficient memory to convert the expression into a finite state machine., xrefs: 101AC2D8
regex_error(error_badrepeat): One of *?+{ was not preceded by a valid regular expression., xrefs: 101AC2DF
regex_error(error_syntax), xrefs: 101AC2FB
regex_error(error_badbrace): The expression contained an invalid range in a { expression }., xrefs: 101AC2CA
regex_error(error_escape): The expression contained an invalid escaped character, or a trailing escape., xrefs: 101AC2A7
regex_error(error_backref): The expression contained an invalid back reference., xrefs: 101AC2AE
regex_error, xrefs: 101AC302
regex_error(error_collate): The expression contained an invalid collating element name., xrefs: 101AC299
regex_error(error_brack): The expression contained mismatched [ and ]., xrefs: 101AC2B5
regex_error(error_range): The expression contained an invalid character range, such as [b-a] in most encodings., xrefs: 101AC2D1
regex_error(error_parse), xrefs: 101AC2F4
regex_error(error_stack): There was insufficient memory to determine whether the regular expression could match the specified character sequence., xrefs: 101AC2ED

Memory Dump Source

Source File: 00000000.00000002.241220841.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.241216579.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241658014.0000000010254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241759726.00000000102A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241769602.00000000102AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: regex_error$regex_error(error_backref): The expression contained an invalid back reference.$regex_error(error_badbrace): The expression contained an invalid range in a { expression }.$regex_error(error_badrepeat): One of *?+{ was not preceded by a valid regular expression.$regex_error(error_brace): The expression contained mismatched { and }.$regex_error(error_brack): The expression contained mismatched [ and ].$regex_error(error_collate): The expression contained an invalid collating element name.$regex_error(error_complexity): The complexity of an attempted match against a regular expression exceeded a pre-set level.$regex_error(error_ctype): The expression contained an invalid character class name.$regex_error(error_escape): The expression contained an invalid escaped character, or a trailing escape.$regex_error(error_paren): The expression contained mismatched ( and ).$regex_error(error_parse)$regex_error(error_range): The expression contained an invalid character range, such as [b-a] in most encodings.$regex_error(error_space): There was insufficient memory to convert the expression into a finite state machine.$regex_error(error_stack): There was insufficient memory to determine whether the regular expression could match the specified character sequence.$regex_error(error_syntax)
API String ID: 0-2293683844
Opcode ID: 47431f9bcd6285cc59bae3aa918a9634bf6f27051db333f7779d5f8d03135129
Instruction ID: 88602c971d275b1354d2c3b9c37fa674573f9b555a6b5d9228d32c0f3361b81f
Opcode Fuzzy Hash: 47431f9bcd6285cc59bae3aa918a9634bf6f27051db333f7779d5f8d03135129
Instruction Fuzzy Hash: C4F0EC32BD118C42CA0086AC74455ADF7DDD78686D3CA4192F59ECAE00CE12ECB8A54D

Uniqueness

Uniqueness Score: -1.00%

Function 10220E20 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 10220E57
___except_validate_context_record.LIBVCRUNTIME ref: 10220E5F
_ValidateLocalCookies.LIBCMT ref: 10220EE8
__IsNonwritableInCurrentImage.LIBCMT ref: 10220F13
_ValidateLocalCookies.LIBCMT ref: 10220F68

Strings

csm, xrefs: 10220EFD

Memory Dump Source

Source File: 00000000.00000002.241220841.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.241216579.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241658014.0000000010254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241759726.00000000102A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241769602.00000000102AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b0a38f43f3cbf0d8cbe66659853d5cbdff7fb5ff2984035179dd8d122b14598f
Instruction ID: fe928793a8f719c075aaed198380f7d93d4b1e3497d86793d82c3bac3f711f7b
Opcode Fuzzy Hash: b0a38f43f3cbf0d8cbe66659853d5cbdff7fb5ff2984035179dd8d122b14598f
Instruction Fuzzy Hash: DE511E34A002569BCB10CFB8D8816AE77E5FF05354FA1C555FC04AB252EB79EDA1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10038E40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 10038E45

Part of subcall function 101AC381: std::invalid_argument::invalid_argument.LIBCONCRT ref: 101AC38D
Part of subcall function 101AC381: std::invalid_argument::invalid_argument.LIBCONCRT ref: 101AC3AD
Part of subcall function 101AC381: std::regex_error::regex_error.LIBCPMT ref: 101AC3CD

___std_exception_copy.LIBVCRUNTIME ref: 10038E6E

Strings

string too long, xrefs: 10038E40

Memory Dump Source

Source File: 00000000.00000002.241220841.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.241216579.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241658014.0000000010254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241759726.00000000102A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.241769602.00000000102AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument$Xinvalid_argument___std_exception_copystd::_std::regex_error::regex_error
String ID: string too long
API String ID: 1198626707-2556327735
Opcode ID: 89eb153633cc1604ab31d24da96e66325a6b742de7a6ccae2e9f52b312296cf6
Instruction ID: 736b766f07d0572c0e1500a3a863394a93078934995c4d714d12bb898ffefe70
Opcode Fuzzy Hash: 89eb153633cc1604ab31d24da96e66325a6b742de7a6ccae2e9f52b312296cf6
Instruction Fuzzy Hash: 7DE0C2B6A1021897C700EFA8DC418C3F79CEE66554750C52AF658EB600FBB0F4A087E4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 4908, Parent PID: 2920COMMON

Non-executed Functions

Function 010FA1C0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254142031.00000000010EA000.00000004.00000020.00020000.00000000.sdmp, Offset: 010EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10ea000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a93eefb5f6bf0b635416e5809356cc23cfc9bbd37145981d3abe7fe17461b6
Instruction ID: 4dfa4faaab7b8bb79f129bc5f420ff7f1616a57fa95a32ac953c8704ff27415f
Opcode Fuzzy Hash: 34a93eefb5f6bf0b635416e5809356cc23cfc9bbd37145981d3abe7fe17461b6
Instruction Fuzzy Hash: 49110D6291E3D04FD343977448266803FB0AE5312070E42DBD0E9CF5E3E69C8809C723

Uniqueness

Uniqueness Score: -1.00%

Function 010F08C4 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254142031.00000000010EA000.00000004.00000020.00020000.00000000.sdmp, Offset: 010EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10ea000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6022727a7bf8e05a59d7c025eff21ae2e1a4c36b9da1d4662121f02bb62a74
Instruction ID: e873777ca01e899ecf657e8dfb923e0176f9fdd130778e38e9285f6b7953f4b8
Opcode Fuzzy Hash: da6022727a7bf8e05a59d7c025eff21ae2e1a4c36b9da1d4662121f02bb62a74
Instruction Fuzzy Hash: 2FF0AE1120F7D25FD7138B384C626507F72AE17204B6E02DBE2C0DE8E7D14A581AD3A6

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 478fukupP9.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Erbium Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7bde5861e98b2ac3cc37e329f3101f62f0fff922_82810a17_1749665c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C69.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EFA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FB7.tmp.xml

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 2788, Parent PID: 3320

General

Chronological Activities

Analysis Process: conhost.exePID: 5016, Parent PID: 2788

Windows Analysis Report
478fukupP9.dll