elysiumstealer

General

Target

6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f.zip
Size

10.0MB
Sample

210420-vsnzv53v9x
MD5

1f2ba2a86d6b2e0d884b3427491854cf
SHA1

69ea2537be44404f92ba88ddc3def830620fa0e7
SHA256

4acf0d4c84cbfaec5b5dccabf71fc8ddd249c39aa17582590f20aaea14451b3e
SHA512

d2516b781c49a0f5b5665a048d504d7cdb600308e1696269e7f0a8d6385c786d63595098686a4d10e06afcfe197d3da3d98aca9d6f838a036fd9d054159fd12b

Score

10^/10

Malware Config

Targets

- Target
  
  6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f.exe
- Size
  
  10.1MB
- MD5
  
  455d2c547dcacc8b6794a3fa0ccceac9
- SHA1
  
  6efbe33712bddc491f54d7e03d7626941b7bd397
- SHA256
  
  6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f
- SHA512
  
  a4354ce47ae24ec6bb656ad6b80b07335da392de8e7c1c007ebd9b50e42cb0d7714ddc06597d8bde44ebea1c189220d7f5d263de6937e30ccb31ac3e7473c013
Score

10^/10

elysiumstealer vidar agilenet discovery evasion exploit persistence spyware stealer trojan upx vmprotect
- ElysiumStealer
  ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
  stealer elysiumstealer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Loads dropped DLL
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2