elysiumstealer | 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b

Analysis

max time kernel
69s
max time network
69s
platform
windows7_x64
resource
win7v20201028
submitted
06-11-2020 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
Size

571KB
MD5

d79d1213a930b951d933adc1f33f4ca0
SHA1

41b80eb754b3647e29381b7ed93ae4c7f0e6d036
SHA256

027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b
SHA512

b8650a59aeb228984ec48a671e20de6668f203fee566afb3245a1770a7c19785b7d7bccf2d0ab41e73c226490abc5222e94653b70b6423aa61e1e29cd6119c97

Score

10^/10

elysiumstealer redline discovery infostealer spyware stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1668-36-0x0000000000420652-mapping.dmp	family_redline
behavioral1/memory/1668-35-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/1668-39-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/1668-38-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

437406.exe299709.exe299709.exe

pid process

1700 437406.exe
300 299709.exe
1668 299709.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.execmd.exe

pid process

568 cmd.exe
820 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 checkip.amazonaws.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

299709.exe

description pid process target process

PID 300 set thread context of 1668 300 299709.exe 299709.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1700	437406.exe
300	299709.exe
1668	299709.exe

pid	process
568	cmd.exe
820	cmd.exe

flow	ioc
16	checkip.amazonaws.com

description	pid	process	target process
PID 300 set thread context of 1668	300	299709.exe	299709.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

932 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

437406.exe299709.exe

pid process

1700 437406.exe
1700 437406.exe
1668 299709.exe
1668 299709.exe

pid	process
932	PING.EXE

pid	process
1700	437406.exe
1700	437406.exe
1668	299709.exe
1668	299709.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe437406.exe299709.exe299709.exe

description	pid	process
Token: SeDebugPrivilege	1584	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
Token: SeDebugPrivilege	1700	437406.exe
Token: SeDebugPrivilege	300	299709.exe
Token: SeDebugPrivilege	1668	299709.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.execmd.execmd.exe299709.exe299709.execmd.exe

description	pid	process	target process
PID 1584 wrote to memory of 568	1584	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 1584 wrote to memory of 568	1584	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 1584 wrote to memory of 568	1584	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 1584 wrote to memory of 568	1584	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 568 wrote to memory of 1700	568	cmd.exe	437406.exe
PID 568 wrote to memory of 1700	568	cmd.exe	437406.exe
PID 568 wrote to memory of 1700	568	cmd.exe	437406.exe
PID 568 wrote to memory of 1700	568	cmd.exe	437406.exe
PID 1584 wrote to memory of 820	1584	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 1584 wrote to memory of 820	1584	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 1584 wrote to memory of 820	1584	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 1584 wrote to memory of 820	1584	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 820 wrote to memory of 300	820	cmd.exe	299709.exe
PID 820 wrote to memory of 300	820	cmd.exe	299709.exe
PID 820 wrote to memory of 300	820	cmd.exe	299709.exe
PID 820 wrote to memory of 300	820	cmd.exe	299709.exe
PID 300 wrote to memory of 1668	300	299709.exe	299709.exe
PID 300 wrote to memory of 1668	300	299709.exe	299709.exe
PID 300 wrote to memory of 1668	300	299709.exe	299709.exe
PID 300 wrote to memory of 1668	300	299709.exe	299709.exe
PID 300 wrote to memory of 1668	300	299709.exe	299709.exe
PID 300 wrote to memory of 1668	300	299709.exe	299709.exe
PID 300 wrote to memory of 1668	300	299709.exe	299709.exe
PID 300 wrote to memory of 1668	300	299709.exe	299709.exe
PID 300 wrote to memory of 1668	300	299709.exe	299709.exe
PID 1668 wrote to memory of 956	1668	299709.exe	cmd.exe
PID 1668 wrote to memory of 956	1668	299709.exe	cmd.exe
PID 1668 wrote to memory of 956	1668	299709.exe	cmd.exe
PID 1668 wrote to memory of 956	1668	299709.exe	cmd.exe
PID 956 wrote to memory of 932	956	cmd.exe	PING.EXE
PID 956 wrote to memory of 932	956	cmd.exe	PING.EXE
PID 956 wrote to memory of 932	956	cmd.exe	PING.EXE
PID 956 wrote to memory of 932	956	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
"C:\Users\Admin\AppData\Local\Temp\027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\827776.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568

C:\ProgramData\437406.exe
C:\ProgramData\437406.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\299709.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820

C:\ProgramData\299709.exe
C:\ProgramData\299709.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300

C:\ProgramData\299709.exe
"C:\ProgramData\299709.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\ProgramData\299709.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\299709.bat
MD5
69160bf540a9a9e2049ea1d13cf2faf8

SHA1
4ca1e1ea01171ee710927284906054d8dc42f4f1

SHA256
42fb95a38d8bd58043f3ef01f6069d5a4f43f1a2fabcce55b74f350c8002a4a8

SHA512
09d8e2a5227bcfa23929f71042b5bcb3d89fc0dd3f76d3451c2d6abf1143532a6fffdde159bc772b5c4346a8732721d7a7f164f69fa1a8eefc0911b010216619

Download Submit
C:\ProgramData\299709.exe
MD5
bce824d270be37468b18f591a78f280f

SHA1
d55960603fa9d83c88bbe322e8c13cd4b94dbb9a

SHA256
5bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93

SHA512
40d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0

Download Submit
C:\ProgramData\299709.exe
MD5
bce824d270be37468b18f591a78f280f

SHA1
d55960603fa9d83c88bbe322e8c13cd4b94dbb9a

SHA256
5bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93

SHA512
40d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0

Download Submit
C:\ProgramData\299709.exe
MD5
bce824d270be37468b18f591a78f280f

SHA1
d55960603fa9d83c88bbe322e8c13cd4b94dbb9a

SHA256
5bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93

SHA512
40d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0

Download Submit
C:\ProgramData\437406.exe
MD5
79f346d5600586cf5a70f5f6f7aeb6ae

SHA1
51bd20e0ffa21eecf09e1528fd216c8a6be8a271

SHA256
2e9cac20edae9652a21e28e2930fe429fbda66aef0e55e0072e0a1fbfbe850fb

SHA512
2ada9bb782f05eedc42c75ce98fcbdfb41ca2effc332504c51fffdcf0a660105e6f30de43b89950d0a6547bc6c244128082a8282d130df565a633b388748b0ae

Download Submit
C:\ProgramData\437406.exe
MD5
79f346d5600586cf5a70f5f6f7aeb6ae

SHA1
51bd20e0ffa21eecf09e1528fd216c8a6be8a271

SHA256
2e9cac20edae9652a21e28e2930fe429fbda66aef0e55e0072e0a1fbfbe850fb

SHA512
2ada9bb782f05eedc42c75ce98fcbdfb41ca2effc332504c51fffdcf0a660105e6f30de43b89950d0a6547bc6c244128082a8282d130df565a633b388748b0ae

Download Submit
C:\ProgramData\827776.bat
MD5
7439d20003c0ee41be3bdaf320c0beea

SHA1
ee847192f70a531f40cce9927dfcd4064f7e0603

SHA256
c035e46907f68028f322211605e2cfe831e432dc5280d62dcd53c51b41baea7d

SHA512
3ee6b83a66aaf283686ed34e29b405b3b07af85f99c6966a9df0adc155e8644fd2dd424363bfbe6f6775f4abc3c6bc8587d7e3b5cdb552c43ebd6db254aa5a5c

Download Submit
\ProgramData\299709.exe
MD5
bce824d270be37468b18f591a78f280f

SHA1
d55960603fa9d83c88bbe322e8c13cd4b94dbb9a

SHA256
5bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93

SHA512
40d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0

Download Submit
\ProgramData\437406.exe
MD5
79f346d5600586cf5a70f5f6f7aeb6ae

SHA1
51bd20e0ffa21eecf09e1528fd216c8a6be8a271

SHA256
2e9cac20edae9652a21e28e2930fe429fbda66aef0e55e0072e0a1fbfbe850fb

SHA512
2ada9bb782f05eedc42c75ce98fcbdfb41ca2effc332504c51fffdcf0a660105e6f30de43b89950d0a6547bc6c244128082a8282d130df565a633b388748b0ae

Download Submit
memory/300-28-0x0000000000000000-mapping.dmp

Download
memory/300-34-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/300-30-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/300-33-0x0000000000580000-0x00000000005C0000-memory.dmp

Filesize
256KB

Download
memory/300-31-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/568-14-0x0000000000000000-mapping.dmp

Download
memory/820-24-0x0000000000000000-mapping.dmp

Download
memory/932-44-0x0000000000000000-mapping.dmp

Download
memory/956-43-0x0000000000000000-mapping.dmp

Download
memory/1584-0-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1584-1-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1584-3-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1584-4-0x00000000041C0000-0x0000000004225000-memory.dmp

Filesize
404KB

Download
memory/1584-5-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1668-36-0x0000000000420652-mapping.dmp

Download
memory/1668-35-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1668-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1668-38-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1668-40-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-23-0x0000000000710000-0x0000000000734000-memory.dmp

Filesize
144KB

Download
memory/1700-21-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1700-20-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-18-0x0000000000000000-mapping.dmp

Download