top of page

Erbium Stealer, a new Infostealer enters the scene

Cluster25 has obtained a sample of Erbium InfoStealer, a new type of malware that can change its features to evade detection and has been used to sell data stolen through a Telegram bot. In the analyzed sample, the first stage of the infection consists in a 32-bit PE executable with a highly obfuscated code. Moreover, the sample uses polymorphic techniques to change its identifiable features in order to evade detection.

MALWARE FAMILY: Erbium Stealer

ATT&CK IDS: T1218 - Signed Binary Proxy Execution, T1003 - OS Credential Dumping, T1005 - Data from Local System, T1027 - Obfuscated Files or Information, T1033 - System Owner/User Discovery, T1041 - Exfiltration Over C2 Channel, T1046 - Network Service Scanning, T1055 - Process Injection, T1057 - Process Discovery, T1071 - Application Layer Protocol, T1083 - File and Directory Discovery, T1087 - Account Discovery, T1106 - Native API, T1112 - Modify Registry, T1113 - Screen Capture, T1124 - System Time Discovery, T1140 - Deobfuscate/Decode Files or Information, T1202 - Indirect Command Execution, T1204 - User Execution, T1497 - Virtualization/Sandbox Evasion, T1518 - Software Discovery, T1539 - Steal Web Session Cookie, T1553 - Subvert Trust Controls, T1555 - Credentials from Password Stores, T1562 - Impair Defenses, T1566 - Phishing

Read More:



bottom of page