elysiumstealer | dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6

Analysis

Target

dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe
Size

2.5MB
MD5

e72c5e8bef42ca93d84809c6f7d1b47e
SHA1

8009768ac1472a6b73ba77db882f1cc621ca53d5
SHA256

dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6
SHA512

28f3f1eef5bfedda2484b6768f5e086d05803574e514296466b9c9e6e262f87bbcda7cdcfec7ebe72954bf10a7bc9a74e347eff1ffeb6ecd7b9e08f29b2a79bb

Score

10^/10

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3440-137-0x0000000000400000-0x000000000062C000-memory.dmp	elysiumstealer

Loads dropped DLL 1 IoCs

pid	Process
3440	dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3440	dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 3220	3440	dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe	67
PID 3440 wrote to memory of 3220	3440	dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe	67
PID 3440 wrote to memory of 3220	3440	dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe	67
PID 3440 wrote to memory of 3544	3440	dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe	69
PID 3440 wrote to memory of 3544	3440	dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe	69
PID 3440 wrote to memory of 3544	3440	dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe	69

C:\Users\Admin\AppData\Local\Temp\dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe
"C:\Users\Admin\AppData\Local\Temp\dc68c56376057b68b1d9339e321e30cb35824772dd0eba0714ca8d1a0697fcc6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\SysWOW64\arp.exe
  "C:\Windows\System32\arp.exe" -a
  2⤵
  PID:3220
- C:\Windows\SysWOW64\arp.exe
  "C:\Windows\System32\arp.exe" -a
  2⤵
  PID:3544

memory/3440-136-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/3440-132-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/3440-133-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/3440-134-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/3440-135-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/3440-130-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3440-137-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/3440-138-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3440-139-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/3440-131-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/3440-141-0x0000000003110000-0x00000000031A2000-memory.dmp

Filesize
584KB

Download
memory/3440-142-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download