elysiumstealer

General

Target

BBA60DFA5E58997112A5829898E2A7DD.exe
Size

3.9MB
Sample

210528-r7asgq3vp2
MD5

bba60dfa5e58997112a5829898e2a7dd
SHA1

b0b3f12499471d97d337396b9dd652497e070866
SHA256

4e9bb871716df27af35ede8b153efa96e131321fa3ced426fce64b893ebd089a
SHA512

fc7ceccfba312cd787cfe7c6674465848bd7a89d4130b68ebfe3839be92cc8567e3d6d97e974eb3ddd11dd7071fa43632e9dec4df298c7b431213c30a52936bd

Malware Config

Extracted

Family

redline

Botnet

Servj

C2

87.251.71.4:80

Extracted

Family

smokeloader

Version

2020

C2

http://khaleelahmed.com/upload/

http://twvickiassociation.com/upload/

http://www20833.com/upload/

http://cocinasintonterias.com/upload/

http://masaofukunaga.com/upload/

http://gnckids.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

74452b5cbc58563477e4a9e149f2093398530bbd

Attributes

url4cnc
https://tttttt.me/johnyes13

rc4.plain

Targets

- Target
  
  BBA60DFA5E58997112A5829898E2A7DD.exe
- Size
  
  3.9MB
- MD5
  
  bba60dfa5e58997112a5829898e2a7dd
- SHA1
  
  b0b3f12499471d97d337396b9dd652497e070866
- SHA256
  
  4e9bb871716df27af35ede8b153efa96e131321fa3ced426fce64b893ebd089a
- SHA512
  
  fc7ceccfba312cd787cfe7c6674465848bd7a89d4130b68ebfe3839be92cc8567e3d6d97e974eb3ddd11dd7071fa43632e9dec4df298c7b431213c30a52936bd
Score

10^/10

aspackv2 elysiumstealer plugx raccoon redline smokeloader vidar xmrig 74452b5cbc58563477e4a9e149f2093398530bbd servj backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan upx vmprotect
- ElysiumStealer
  ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
  stealer elysiumstealer
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2