elysiumstealer | f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd

Analysis

Target

f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
Size

242KB
MD5

36885e55a22987da6f4d8009e9ad7d8b
SHA1

139e95d227e908f40bed43de59aeeb6bd9358d88
SHA256

f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd
SHA512

e791cd9d634532ddbf2f265de65424896f7615ec2e0e56f78220494139299a084d7b61ec54624e10dc09af46b1d708f2a812e3e4a0a21ba31e2bb713a8b95a06

Score

10^/10

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4216	4564	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe

C:\Users\Admin\AppData\Local\Temp\f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
"C:\Users\Admin\AppData\Local\Temp\f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1748
  2⤵
  - Program crash
  PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4564 -ip 4564
1⤵
PID:4880

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/4564-130-0x0000000000C90000-0x0000000000CD6000-memory.dmp

Filesize
280KB

Download
memory/4564-131-0x00000000084A0000-0x0000000008506000-memory.dmp

Filesize
408KB

Download
memory/4564-132-0x00000000087B0000-0x0000000008842000-memory.dmp

Filesize
584KB

Download
memory/4564-133-0x0000000008E00000-0x00000000093A4000-memory.dmp

Filesize
5.6MB

Download
memory/4564-134-0x0000000008BD0000-0x0000000008C6C000-memory.dmp

Filesize
624KB

Download