SYMBOLCOMMON_NAMEaka. SYNONYMS
win.erbium_stealer (Back to overview)

Erbium Stealer


Erbium is an information stealer advertised and sold as a Malware-as-a-Service on cybercrime forums and Telegram since at least July 2022. Its capabilities are those of a classic information stealer, with a focus on cryptocurrency wallets, and file grabber capabilities.

References
2022-10-04Twitter (@sekoia_io)sekoia
@online{sekoia:20221004:tweets:49c9f1d, author = {sekoia}, title = {{Tweets detailing operation of Erbium stealer}}, date = {2022-10-04}, organization = {Twitter (@sekoia_io)}, url = {https://twitter.com/sekoia_io/status/1577222282929311744}, language = {English}, urldate = {2022-12-05} } Tweets detailing operation of Erbium stealer
Erbium Stealer
2022-09-26Bleeping ComputerBill Toulas
@online{toulas:20220926:new:eb62360, author = {Bill Toulas}, title = {{New Erbium password-stealing malware spreads as game cracks, cheats}}, date = {2022-09-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing-malware-spreads-as-game-cracks-cheats/}, language = {English}, urldate = {2022-09-29} } New Erbium password-stealing malware spreads as game cracks, cheats
Erbium Stealer
2022-09-15DuskRiseCluster25 Threat Intel Team
@online{team:20220915:erbium:ed02078, author = {Cluster25 Threat Intel Team}, title = {{Erbium InfoStealer Enters the Scene: Characteristics and Origins}}, date = {2022-09-15}, organization = {DuskRise}, url = {https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer}, language = {English}, urldate = {2022-09-30} } Erbium InfoStealer Enters the Scene: Characteristics and Origins
Erbium Stealer
2022-09-01abuse.chabuse.ch
@online{abusech:20220901:new:3ae2715, author = {abuse.ch}, title = {{New stealer in town}}, date = {2022-09-01}, organization = {abuse.ch}, url = {https://twitter.com/abuse_ch/status/1565290110572175361}, language = {English}, urldate = {2022-09-01} } New stealer in town
Erbium Stealer
Yara Rules
[TLP:WHITE] win_erbium_stealer_auto (20230407 | Detects win.erbium_stealer.)
rule win_erbium_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.erbium_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.erbium_stealer"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b55f4 52 ff15???????? 898578ffffff 8b450c 0fb708 }
            // n = 6, score = 100
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   898578ffffff         | mov                 dword ptr [ebp - 0x88], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0fb708               | movzx               ecx, word ptr [eax]

        $sequence_1 = { e9???????? b808000000 6bc809 8b55f4 837c0a6400 7448 b808000000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   b808000000           | mov                 eax, 8
            //   6bc809               | imul                ecx, eax, 9
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   837c0a6400           | cmp                 dword ptr [edx + ecx + 0x64], 0
            //   7448                 | je                  0x4a
            //   b808000000           | mov                 eax, 8

        $sequence_2 = { 6a04 ff7508 8d4df8 ff75e4 ff75e0 6a00 }
            // n = 6, score = 100
            //   6a04                 | push                4
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   6a00                 | push                0

        $sequence_3 = { 8d8424a0000000 7409 83c002 66833800 }
            // n = 4, score = 100
            //   8d8424a0000000       | lea                 eax, [esp + 0xa0]
            //   7409                 | je                  0xb
            //   83c002               | add                 eax, 2
            //   66833800             | cmp                 word ptr [eax], 0

        $sequence_4 = { 6a00 6800100000 68???????? 8b45e8 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   6800100000           | push                0x1000
            //   68????????           |                     
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]

        $sequence_5 = { ff15???????? eb08 33c0 eb04 8b442414 33ff 33db }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   eb08                 | jmp                 0xa
            //   33c0                 | xor                 eax, eax
            //   eb04                 | jmp                 6
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   33ff                 | xor                 edi, edi
            //   33db                 | xor                 ebx, ebx

        $sequence_6 = { 8b11 81e200000080 741a 8b45f0 8b08 81e1ffff0000 }
            // n = 6, score = 100
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   81e200000080         | and                 edx, 0x80000000
            //   741a                 | je                  0x1c
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   81e1ffff0000         | and                 ecx, 0xffff

        $sequence_7 = { 8955f8 b808000000 6bc805 8b55f4 }
            // n = 4, score = 100
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   b808000000           | mov                 eax, 8
            //   6bc805               | imul                ecx, eax, 5
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_8 = { 897dfc 3bf8 7455 0fb74f2c }
            // n = 4, score = 100
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   3bf8                 | cmp                 edi, eax
            //   7455                 | je                  0x57
            //   0fb74f2c             | movzx               ecx, word ptr [edi + 0x2c]

        $sequence_9 = { 83c102 51 8b55d0 52 ff55cc 8b4de8 8901 }
            // n = 7, score = 100
            //   83c102               | add                 ecx, 2
            //   51                   | push                ecx
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   52                   | push                edx
            //   ff55cc               | call                dword ptr [ebp - 0x34]
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8901                 | mov                 dword ptr [ecx], eax

    condition:
        7 of them and filesize < 33792
}
Download all Yara Rules