Overview

overview

10

Static

static

URLScan

urlscan

https://github.com/b...

windows7-x64

10

https://github.com/b...

windows10-2004-x64

8

Analysis

  • max time kernel
    78s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2022 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/babyroro1/Sketchfab-Ripper-/releases/download/sketchfab/SketchfabRipper.exe

Score
10/10
elysiumstealerstealerupx

Malware Config

Signatures

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer
  • ElysiumStealer payload 10 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 7 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/babyroro1/Sketchfab-Ripper-/releases/download/sketchfab/SketchfabRipper.exe
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2012
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2044 -s 656
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1480

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d4c505779c3cd53045709716b7717ce9

    SHA1

    c3ab2741f50a833f5f48262f34b901f48bd716f4

    SHA256

    d0d83f1cc3145fc821ec8fed67c2d2493273c0ff4bbf4863697a14b08cd22bf1

    SHA512

    8a8c4870242d2f05bb6fd1e9a1d591f55b37287487b539aaa4357935567094c88a55569de19011658757dc7239dbe9f1e6510062939c73041feb98b662a78109

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
    Filesize

    1.4MB

    MD5

    0acae348710ea8e48cbfa74859885cda

    SHA1

    89fa5d1e1e28b0ce325472a85afc705041d4a05c

    SHA256

    660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561

    SHA512

    bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe.0suhyvc.partial
    Filesize

    1.4MB

    MD5

    0acae348710ea8e48cbfa74859885cda

    SHA1

    89fa5d1e1e28b0ce325472a85afc705041d4a05c

    SHA256

    660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561

    SHA512

    bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TFIKGAM5.txt
    Filesize

    608B

    MD5

    04dbb07094dd5e595d67d657f2ee6094

    SHA1

    fb913f395299fcae868420925c40114feee9c45a

    SHA256

    b64848e64ead3eb6941cb0d5d3edeb7237315847b933e93ea8fd807d4fc1af89

    SHA512

    eb606ac43b4b3d70cd89560ae3d73bd6ceac73d7204b13e473ccb4be2523b0dbd2c4597c357d8cd680dfb391d3aab9e108f245c797b5a3bba61a94c0416caa4c

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
    Filesize

    1.4MB

    MD5

    0acae348710ea8e48cbfa74859885cda

    SHA1

    89fa5d1e1e28b0ce325472a85afc705041d4a05c

    SHA256

    660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561

    SHA512

    bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
    Filesize

    1.4MB

    MD5

    0acae348710ea8e48cbfa74859885cda

    SHA1

    89fa5d1e1e28b0ce325472a85afc705041d4a05c

    SHA256

    660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561

    SHA512

    bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
    Filesize

    1.4MB

    MD5

    0acae348710ea8e48cbfa74859885cda

    SHA1

    89fa5d1e1e28b0ce325472a85afc705041d4a05c

    SHA256

    660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561

    SHA512

    bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
    Filesize

    1.4MB

    MD5

    0acae348710ea8e48cbfa74859885cda

    SHA1

    89fa5d1e1e28b0ce325472a85afc705041d4a05c

    SHA256

    660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561

    SHA512

    bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
    Filesize

    1.4MB

    MD5

    0acae348710ea8e48cbfa74859885cda

    SHA1

    89fa5d1e1e28b0ce325472a85afc705041d4a05c

    SHA256

    660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561

    SHA512

    bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
    Filesize

    1.4MB

    MD5

    0acae348710ea8e48cbfa74859885cda

    SHA1

    89fa5d1e1e28b0ce325472a85afc705041d4a05c

    SHA256

    660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561

    SHA512

    bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\Distort.NET_VM.dll
    Filesize

    39KB

    MD5

    d80d1b6d9a6d5986fa47f6f8487030e1

    SHA1

    8f5773bf9eca43b079c1766b2e9f44cc90bd9215

    SHA256

    446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3

    SHA512

    9fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc

    Download Submit

  • memory/2044-61-0x0000000000840000-0x000000000086C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2044-59-0x0000000000150000-0x000000000016A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2044-58-0x0000000001320000-0x0000000001496000-memory.dmp

    Filesize

    1.5MB

    Download