General
-
Target
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f.zip
-
Size
10.0MB
-
Sample
210420-vsnzv53v9x
-
MD5
1f2ba2a86d6b2e0d884b3427491854cf
-
SHA1
69ea2537be44404f92ba88ddc3def830620fa0e7
-
SHA256
4acf0d4c84cbfaec5b5dccabf71fc8ddd249c39aa17582590f20aaea14451b3e
-
SHA512
d2516b781c49a0f5b5665a048d504d7cdb600308e1696269e7f0a8d6385c786d63595098686a4d10e06afcfe197d3da3d98aca9d6f838a036fd9d054159fd12b
Static task
static1
Behavioral task
behavioral1
Sample
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f.exe
Resource
win7v20210408
Malware Config
Targets
-
-
Target
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f.exe
-
Size
10.1MB
-
MD5
455d2c547dcacc8b6794a3fa0ccceac9
-
SHA1
6efbe33712bddc491f54d7e03d7626941b7bd397
-
SHA256
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f
-
SHA512
a4354ce47ae24ec6bb656ad6b80b07335da392de8e7c1c007ebd9b50e42cb0d7714ddc06597d8bde44ebea1c189220d7f5d263de6937e30ccb31ac3e7473c013
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Loads dropped DLL
-
Modifies file permissions
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-