General
-
Target
BTRSetp.exe
-
Size
258KB
-
Sample
210306-69e2b9g6sj
-
MD5
1165ce455c6ff9ad6c27e49a8094b069
-
SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85
-
SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
-
SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4
Static task
static1
Behavioral task
behavioral1
Sample
BTRSetp.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
BTRSetp.exe
Resource
win10v20201028
Malware Config
Targets
-
-
Target
BTRSetp.exe
-
Size
258KB
-
MD5
1165ce455c6ff9ad6c27e49a8094b069
-
SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85
-
SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
-
SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer Payload
-
ElysiumStealer Support DLL
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner Payload
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-