elysiumstealer | ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3

General

Target

ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe
Size

405KB
MD5

4328a8e91296320c208b5ac9f7634bf9
SHA1

a173f1352345d9e5aa1aa8b37d288dcd953dad48
SHA256

ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3
SHA512

8463c544199c85d96124dfac3d92229b3a29d0002b79328554c00b6af74309059c163f0ea70c378ca80bf0360fc728c1f2ed7f3bd71a8f47ba82c9f679227428

Score

10^/10

elysiumstealer discovery spyware stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1368 968 WerFault.exe ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe

pid	pid_target	process	target process
1368	968	WerFault.exe	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe

pid	process
968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe
968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe
968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe
968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe
968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe
968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe
968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe

description pid process

Token: SeDebugPrivilege 968 ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe

description	pid	process
Token: SeDebugPrivilege	968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe

description	pid	process	target process
PID 968 wrote to memory of 1368	968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe	WerFault.exe
PID 968 wrote to memory of 1368	968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe	WerFault.exe
PID 968 wrote to memory of 1368	968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe	WerFault.exe
PID 968 wrote to memory of 1368	968	ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe
"C:\Users\Admin\AppData\Local\Temp\ea073da8a4bb2e317f717a2d43a7aee76a92c42f568f724ea70beb2794938ee3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1248
  2⤵
  - Program crash
  PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-54-0x0000000000E10000-0x0000000000E7C000-memory.dmp

Filesize
432KB

Download
memory/968-55-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/968-56-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1368-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing