elysiumstealer | cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d

General

Target

cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
Size

78KB
MD5

a8db62010fc3ff8a86abdf3988646a8c
SHA1

247577574d8f60a064b03d9f2a627d0bdbc6d2a6
SHA256

cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d
SHA512

8234d169c809f91658f88ccb80be1dbae587ff9e0a3e517f4b42ac0f2e4a3be73b77bba787b6ebc55422c2f081b9c07e44f1192d63c90d3837b55597f68b0e1d

Score

10^/10

elysiumstealer discovery spyware stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1824	1052	WerFault.exe	24

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exeWerFault.exe

pid	Process
1052	cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid	Process
1824	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exeWerFault.exe

description	pid	Process
Token: SeDebugPrivilege	1052	cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
Token: SeDebugPrivilege	1824	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe

description	pid	Process	procid_target
PID 1052 wrote to memory of 1824	1052	cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe	30
PID 1052 wrote to memory of 1824	1052	cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe	30
PID 1052 wrote to memory of 1824	1052	cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe	30
PID 1052 wrote to memory of 1824	1052	cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe	30

C:\Users\Admin\AppData\Local\Temp\cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
"C:\Users\Admin\AppData\Local\Temp\cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1856
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-60-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1052-62-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/1052-63-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1824-64-0x0000000000000000-mapping.dmp

Download
memory/1824-65-0x0000000000600000-0x0000000000618000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads