elysiumstealer | ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af

General

Target

ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
Size

79KB
MD5

2cd5c4ee42e61a0f770d43f8f9ca558f
SHA1

ac2878f25ce42de9d73278a2fecf73565b2f4dfe
SHA256

ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af
SHA512

1ca622e5f06b3fb299ddb7658251f580768bc9e45a1ac0a228a7ce1c318dfbd8103eb155137e8c8fb6255b93cbc4fa49f0540b321add9d3a6b82bc776ae1197d

Score

10^/10

elysiumstealer discovery spyware stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
440	2040	WerFault.exe	25

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2040	ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
440	WerFault.exe
440	WerFault.exe
440	WerFault.exe
440	WerFault.exe
440	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
440	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
Token: SeDebugPrivilege	440	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 440	2040	ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe	30
PID 2040 wrote to memory of 440	2040	ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe	30
PID 2040 wrote to memory of 440	2040	ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe	30
PID 2040 wrote to memory of 440	2040	ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe	30

C:\Users\Admin\AppData\Local\Temp\ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
"C:\Users\Admin\AppData\Local\Temp\ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1852
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/440-58-0x00000000002F0000-0x0000000000308000-memory.dmp

Filesize
96KB

Download
memory/2040-53-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/2040-55-0x00000000008B0000-0x00000000008CB000-memory.dmp

Filesize
108KB

Download
memory/2040-56-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing