Analysis
-
max time kernel
114s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
07-03-2022 13:44
Static task
static1
Behavioral task
behavioral1
Sample
dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe
Resource
win10v2004-en-20220112
General
-
Target
dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe
-
Size
2.5MB
-
MD5
e72c5e8bef42ca93d84809c6f7d1b47e
-
SHA1
8009768ac1472a6b73ba77db882f1cc621ca53d5
-
SHA256
dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6
-
SHA512
28f3f1eef5bfedda2484b6768f5e086d05803574e514296466b9c9e6e262f87bbcda7cdcfec7ebe72954bf10a7bc9a74e347eff1ffeb6ecd7b9e08f29b2a79bb
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer Payload 1 IoCs
resource yara_rule behavioral2/memory/3440-137-0x0000000000400000-0x000000000062C000-memory.dmp elysiumstealer -
Loads dropped DLL 1 IoCs
pid Process 3440 dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3440 dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3440 wrote to memory of 3220 3440 dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe 67 PID 3440 wrote to memory of 3220 3440 dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe 67 PID 3440 wrote to memory of 3220 3440 dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe 67 PID 3440 wrote to memory of 3544 3440 dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe 69 PID 3440 wrote to memory of 3544 3440 dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe 69 PID 3440 wrote to memory of 3544 3440 dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe"C:\Users\Admin\AppData\Local\Temp\dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a2⤵PID:3220
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a2⤵PID:3544
-