elysiumstealer | 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce

General

Target

36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
Size

80KB
MD5

3d330c6e2e14c3e682aec36e1abeb028
SHA1

59665acd4f6398afb4d5ab515e95a886648f161c
SHA256

36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce
SHA512

e4c5b6570d3823f985e5516dbb9917f3c9c3ccd7a780de1e7cd179f7f338f0d0579e62d988898ae7002e774daec3bf6a29d5d87b5e70cb43e6b06ad627e984c3

Score

10^/10

elysiumstealer discovery spyware stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1420	1032	WerFault.exe	25

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1032	36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1420	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
Token: SeDebugPrivilege	1420	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1420	1032	36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe	31
PID 1032 wrote to memory of 1420	1032	36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe	31
PID 1032 wrote to memory of 1420	1032	36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe	31
PID 1032 wrote to memory of 1420	1032	36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe	31

C:\Users\Admin\AppData\Local\Temp\36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
"C:\Users\Admin\AppData\Local\Temp\36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1832
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-53-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1032-55-0x0000000000210000-0x000000000022B000-memory.dmp

Filesize
108KB

Download
memory/1032-56-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1420-58-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing