elysiumstealer | 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b

General

Target

027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
Size

571KB
MD5

d79d1213a930b951d933adc1f33f4ca0
SHA1

41b80eb754b3647e29381b7ed93ae4c7f0e6d036
SHA256

027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b
SHA512

b8650a59aeb228984ec48a671e20de6668f203fee566afb3245a1770a7c19785b7d7bccf2d0ab41e73c226490abc5222e94653b70b6423aa61e1e29cd6119c97

Score

10^/10

elysiumstealer redline discovery infostealer spyware stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/980-34-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/980-35-0x0000000000420652-mapping.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

816438.exe182887.exe182887.exe

pid process

1088 816438.exe
1004 182887.exe
980 182887.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 checkip.amazonaws.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

182887.exe

description pid process target process

PID 1004 set thread context of 980 1004 182887.exe 182887.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2424 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

816438.exe182887.exe

pid process

1088 816438.exe
1088 816438.exe
980 182887.exe
980 182887.exe

pid	process
1088	816438.exe
1004	182887.exe
980	182887.exe

flow	ioc
25	checkip.amazonaws.com

description	pid	process	target process
PID 1004 set thread context of 980	1004	182887.exe	182887.exe

pid	process
2424	PING.EXE

pid	process
1088	816438.exe
1088	816438.exe
980	182887.exe
980	182887.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe816438.exe182887.exe182887.exe

description	pid	process
Token: SeDebugPrivilege	1180	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
Token: SeDebugPrivilege	1088	816438.exe
Token: SeDebugPrivilege	1004	182887.exe
Token: SeDebugPrivilege	980	182887.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.execmd.execmd.exe182887.exe182887.execmd.exe

description	pid	process	target process
PID 1180 wrote to memory of 2668	1180	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 1180 wrote to memory of 2668	1180	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 1180 wrote to memory of 2668	1180	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 2668 wrote to memory of 1088	2668	cmd.exe	816438.exe
PID 2668 wrote to memory of 1088	2668	cmd.exe	816438.exe
PID 2668 wrote to memory of 1088	2668	cmd.exe	816438.exe
PID 1180 wrote to memory of 4040	1180	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 1180 wrote to memory of 4040	1180	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 1180 wrote to memory of 4040	1180	027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe	cmd.exe
PID 4040 wrote to memory of 1004	4040	cmd.exe	182887.exe
PID 4040 wrote to memory of 1004	4040	cmd.exe	182887.exe
PID 4040 wrote to memory of 1004	4040	cmd.exe	182887.exe
PID 1004 wrote to memory of 980	1004	182887.exe	182887.exe
PID 1004 wrote to memory of 980	1004	182887.exe	182887.exe
PID 1004 wrote to memory of 980	1004	182887.exe	182887.exe
PID 1004 wrote to memory of 980	1004	182887.exe	182887.exe
PID 1004 wrote to memory of 980	1004	182887.exe	182887.exe
PID 1004 wrote to memory of 980	1004	182887.exe	182887.exe
PID 1004 wrote to memory of 980	1004	182887.exe	182887.exe
PID 1004 wrote to memory of 980	1004	182887.exe	182887.exe
PID 980 wrote to memory of 2088	980	182887.exe	cmd.exe
PID 980 wrote to memory of 2088	980	182887.exe	cmd.exe
PID 980 wrote to memory of 2088	980	182887.exe	cmd.exe
PID 2088 wrote to memory of 2424	2088	cmd.exe	PING.EXE
PID 2088 wrote to memory of 2424	2088	cmd.exe	PING.EXE
PID 2088 wrote to memory of 2424	2088	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
"C:\Users\Admin\AppData\Local\Temp\027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\175243.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\ProgramData\816438.exe
C:\ProgramData\816438.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\182887.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\ProgramData\182887.exe
C:\ProgramData\182887.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004

C:\ProgramData\182887.exe
"C:\ProgramData\182887.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\ProgramData\182887.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\175243.bat
MD5
22c769ab238d79cc9a90fec628ae0177

SHA1
29172f85d32ee363b5d3e65f6d10c438c303c191

SHA256
c2a3b3c1ad0f8f8c4f08093ad552df611a27d53e67b36f42fed5bac6125a017f

SHA512
88ca0c2cdc8f9c1fe22ca8a32fe52a25bf723ed75fd8478953bcdfdcdaf6720bbc860af2c7bd1d87c06b64c9996fb419dada5d810c0b149909ba48771e346255

Download Submit
C:\ProgramData\182887.bat
MD5
eb3846432e059fa9380d7357b5245fd4

SHA1
b1120a8fbe775ad7d0c82c750c4db661b5e32d03

SHA256
d2867a27f1c430ff7c5c27782cdfef84379a1691a06c8bfaa1af4e2a5752ac27

SHA512
a3c6825201106107d41885e2652466d23ee0366140671d3e111c72d5b7a108dcc199f5790fa9ae4423567671369a8a4c08da69f13213226e10364a4270b65ad4

Download Submit
C:\ProgramData\182887.exe
MD5
bce824d270be37468b18f591a78f280f

SHA1
d55960603fa9d83c88bbe322e8c13cd4b94dbb9a

SHA256
5bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93

SHA512
40d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0

Download Submit
C:\ProgramData\182887.exe
MD5
bce824d270be37468b18f591a78f280f

SHA1
d55960603fa9d83c88bbe322e8c13cd4b94dbb9a

SHA256
5bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93

SHA512
40d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0

Download Submit
C:\ProgramData\182887.exe
MD5
bce824d270be37468b18f591a78f280f

SHA1
d55960603fa9d83c88bbe322e8c13cd4b94dbb9a

SHA256
5bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93

SHA512
40d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0

Download Submit
C:\ProgramData\816438.exe
MD5
79f346d5600586cf5a70f5f6f7aeb6ae

SHA1
51bd20e0ffa21eecf09e1528fd216c8a6be8a271

SHA256
2e9cac20edae9652a21e28e2930fe429fbda66aef0e55e0072e0a1fbfbe850fb

SHA512
2ada9bb782f05eedc42c75ce98fcbdfb41ca2effc332504c51fffdcf0a660105e6f30de43b89950d0a6547bc6c244128082a8282d130df565a633b388748b0ae

Download Submit
C:\ProgramData\816438.exe
MD5
79f346d5600586cf5a70f5f6f7aeb6ae

SHA1
51bd20e0ffa21eecf09e1528fd216c8a6be8a271

SHA256
2e9cac20edae9652a21e28e2930fe429fbda66aef0e55e0072e0a1fbfbe850fb

SHA512
2ada9bb782f05eedc42c75ce98fcbdfb41ca2effc332504c51fffdcf0a660105e6f30de43b89950d0a6547bc6c244128082a8282d130df565a633b388748b0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\182887.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
memory/980-45-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/980-42-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/980-41-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/980-43-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/980-38-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/980-44-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/980-46-0x0000000006670000-0x0000000006671000-memory.dmp

Filesize
4KB

Download
memory/980-35-0x0000000000420652-mapping.dmp

Download
memory/980-47-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/980-34-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/980-53-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/1004-24-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/1004-31-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/1004-25-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1004-27-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1004-21-0x0000000000000000-mapping.dmp

Download
memory/1004-33-0x0000000004FA0000-0x0000000004FB6000-memory.dmp

Filesize
88KB

Download
memory/1004-30-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1088-18-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/1088-10-0x0000000000000000-mapping.dmp

Download
memory/1088-28-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/1088-29-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/1088-13-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-17-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/1088-16-0x0000000007460000-0x0000000007484000-memory.dmp

Filesize
144KB

Download
memory/1088-14-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1180-0-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/1180-5-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1180-4-0x0000000004B00000-0x0000000004B65000-memory.dmp

Filesize
404KB

Download
memory/1180-3-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1180-1-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2088-57-0x0000000000000000-mapping.dmp

Download
memory/2424-58-0x0000000000000000-mapping.dmp

Download
memory/2668-8-0x0000000000000000-mapping.dmp

Download
memory/4040-19-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads