Overview

overview

10

Static

static

10

59604cfc9a...9a.exe

windows7_x64

10

59604cfc9a...9a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    166s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08/05/2022, 06:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59604cfc9abd7621d66ded13ee63f76f06709846308bbd412f25063d42e4f79a.exe

  • Size

    440KB

  • MD5

    d3937c560d6ccd27e80a5a1749c72561

  • SHA1

    7ae5722e2f823fbb1334e244b34ef5854129fde0

  • SHA256

    59604cfc9abd7621d66ded13ee63f76f06709846308bbd412f25063d42e4f79a

  • SHA512

    76db88a01e16172599a4744fc9c68b84e323395b557d976f10ba7f488522ef39f63fb64a803bfcbac163a3ad67964cc1e6c2e58deb7fc2619de018be2e2cbdf6

Score
10/10
elysiumstealerdiscoveryspywarestealer

Malware Config

Signatures

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer
  • ElysiumStealer Payload 1 IoCs
  • ElysiumStealer Support DLL 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59604cfc9abd7621d66ded13ee63f76f06709846308bbd412f25063d42e4f79a.exe
    "C:\Users\Admin\AppData\Local\Temp\59604cfc9abd7621d66ded13ee63f76f06709846308bbd412f25063d42e4f79a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4652
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1704
      2⤵
      • Program crash
      PID:3780
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4652 -ip 4652
    1⤵
      PID:2328

    Network

    • flag-us
      DNS
      q1f.xyz
      59604cfc9abd7621d66ded13ee63f76f06709846308bbd412f25063d42e4f79a.exe
      Remote address:
      8.8.8.8:53
      Request
      q1f.xyz
      IN A
      Response
    • flag-us
      DNS
      q1f.xyz
      59604cfc9abd7621d66ded13ee63f76f06709846308bbd412f25063d42e4f79a.exe
      Remote address:
      8.8.8.8:53
      Request
      q1f.xyz
      IN A
      Response
    • 67.24.169.254:80
      260 B
       5
    • 2.16.119.157:443
      tls
      92 B
       111 B
       2
      2
    • 2.16.119.157:443
      tls
      92 B
       111 B
       2
      2
    • 8.253.69.232:80
      260 B
       5
    • 51.105.71.137:443
      322 B
       7
    • 67.24.169.254:80
      322 B
       7
    • 67.24.169.254:80
      322 B
       7
    • 67.24.169.254:80
      260 B
       5
    • 93.184.220.29:80
      322 B
       7
    • 67.24.169.254:80
      322 B
       7
    • 204.79.197.203:80
      322 B
       7
    • 104.110.191.140:80
      46 B
       40 B
       1
      1
    • 8.8.8.8:53
      q1f.xyz
      dns
      59604cfc9abd7621d66ded13ee63f76f06709846308bbd412f25063d42e4f79a.exe
      53 B
       118 B
       1
      1

      DNS Request

      q1f.xyz

    • 8.8.8.8:53
      q1f.xyz
      dns
      59604cfc9abd7621d66ded13ee63f76f06709846308bbd412f25063d42e4f79a.exe
      53 B
       118 B
       1
      1

      DNS Request

      q1f.xyz

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll
      Filesize

      40KB

      MD5

      94173de2e35aa8d621fc1c4f54b2a082

      SHA1

      fbb2266ee47f88462560f0370edb329554cd5869

      SHA256

      7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

      SHA512

      cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

      Download Submit

    • memory/4652-130-0x0000000000800000-0x0000000000874000-memory.dmp

      Filesize

      464KB

      Download

    • memory/4652-132-0x0000000005B60000-0x0000000005BC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4652-133-0x0000000005CD0000-0x0000000005D62000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4652-134-0x0000000006320000-0x00000000068C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4652-135-0x0000000006190000-0x00000000061E0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4652-136-0x0000000006280000-0x000000000631C000-memory.dmp

      Filesize

      624KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.