SYMBOLCOMMON_NAMEaka. SYNONYMS
win.erbium_stealer (Back to overview)

Erbium Stealer


Erbium is an information stealer advertised and sold as a Malware-as-a-Service on cybercrime forums and Telegram since at least July 2022. Its capabilities are those of a classic information stealer, with a focus on cryptocurrency wallets, and file grabber capabilities.

References
2022-10-04Twitter (@sekoia_io)sekoia
@online{sekoia:20221004:tweets:49c9f1d, author = {sekoia}, title = {{Tweets detailing operation of Erbium stealer}}, date = {2022-10-04}, organization = {Twitter (@sekoia_io)}, url = {https://twitter.com/sekoia_io/status/1577222282929311744}, language = {English}, urldate = {2022-12-05} } Tweets detailing operation of Erbium stealer
Erbium Stealer
2022-09-26Bleeping ComputerBill Toulas
@online{toulas:20220926:new:eb62360, author = {Bill Toulas}, title = {{New Erbium password-stealing malware spreads as game cracks, cheats}}, date = {2022-09-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing-malware-spreads-as-game-cracks-cheats/}, language = {English}, urldate = {2022-09-29} } New Erbium password-stealing malware spreads as game cracks, cheats
Erbium Stealer
2022-09-15DuskRiseCluster25 Threat Intel Team
@online{team:20220915:erbium:ed02078, author = {Cluster25 Threat Intel Team}, title = {{Erbium InfoStealer Enters the Scene: Characteristics and Origins}}, date = {2022-09-15}, organization = {DuskRise}, url = {https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer}, language = {English}, urldate = {2022-09-30} } Erbium InfoStealer Enters the Scene: Characteristics and Origins
Erbium Stealer
2022-09-01abuse.chabuse.ch
@online{abusech:20220901:new:3ae2715, author = {abuse.ch}, title = {{New stealer in town}}, date = {2022-09-01}, organization = {abuse.ch}, url = {https://twitter.com/abuse_ch/status/1565290110572175361}, language = {English}, urldate = {2022-09-01} } New stealer in town
Erbium Stealer
Yara Rules
[TLP:WHITE] win_erbium_stealer_auto (20230125 | Detects win.erbium_stealer.)
rule win_erbium_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.erbium_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.erbium_stealer"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4df0 51 8b5508 52 ff55fc }
            // n = 5, score = 100
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   ff55fc               | call                dword ptr [ebp - 4]

        $sequence_1 = { 8d8c24a4020000 40 51 50 }
            // n = 4, score = 100
            //   8d8c24a4020000       | lea                 ecx, [esp + 0x2a4]
            //   40                   | inc                 eax
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_2 = { 8b442410 03f8 3bfb 7601 cc }
            // n = 5, score = 100
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   03f8                 | add                 edi, eax
            //   3bfb                 | cmp                 edi, ebx
            //   7601                 | jbe                 3
            //   cc                   | int3                

        $sequence_3 = { 8b442414 03c7 89442424 8d542410 52 51 50 }
            // n = 7, score = 100
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   03c7                 | add                 eax, edi
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   8d542410             | lea                 edx, [esp + 0x10]
            //   52                   | push                edx
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_4 = { eb04 8b442414 33ff 33db 85c0 0f844c010000 a1???????? }
            // n = 7, score = 100
            //   eb04                 | jmp                 6
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   33ff                 | xor                 edi, edi
            //   33db                 | xor                 ebx, ebx
            //   85c0                 | test                eax, eax
            //   0f844c010000         | je                  0x152
            //   a1????????           |                     

        $sequence_5 = { ffd6 33c0 0f1f00 40 }
            // n = 4, score = 100
            //   ffd6                 | call                esi
            //   33c0                 | xor                 eax, eax
            //   0f1f00               | nop                 dword ptr [eax]
            //   40                   | inc                 eax

        $sequence_6 = { 6a01 8b55fc 52 8b45e4 8b08 }
            // n = 5, score = 100
            //   6a01                 | push                1
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_7 = { 50 ff15???????? 8b442448 48 a3???????? 8db000000004 f7d0 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   48                   | dec                 eax
            //   a3????????           |                     
            //   8db000000004         | lea                 esi, [eax + 0x4000000]
            //   f7d0                 | not                 eax

        $sequence_8 = { 6a00 53 ff15???????? 8bf8 897c2414 }
            // n = 5, score = 100
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   897c2414             | mov                 dword ptr [esp + 0x14], edi

        $sequence_9 = { 8b4524 8945a8 6a00 6800100000 8b4d0c 51 }
            // n = 6, score = 100
            //   8b4524               | mov                 eax, dword ptr [ebp + 0x24]
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax
            //   6a00                 | push                0
            //   6800100000           | push                0x1000
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 33792
}
Download all Yara Rules