elysiumstealer | 33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744

Analysis

max time kernel
46s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-10-2022 11:38

Target

33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe
Size

496KB
MD5

49a7d1726e99dfbe948ddb72208a7c6f
SHA1

0d16e1ca6381ab2735a63d153936f30048f02f13
SHA256

33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744
SHA512

4ff4c0a221b3d7a1b3dc593cd563ee05a84280373bbc4671928fc801bf6fa71f7dec77c09b3032d302739878eae57e2a5b87db215a4b30d3f570151e4c3ed2fd
SSDEEP

6144:cGwX2ZQvopOYQ42NcWR3Xwlb7X9rx12GValheKrRKLLMJs4+dbyuE:cGwgQVYUWWhMftxLA8/

Score

10^/10

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1680-54-0x0000000000010000-0x0000000000092000-memory.dmp	elysiumstealer
behavioral1/memory/1680-55-0x0000000000450000-0x000000000045C000-memory.dmp	elysiumstealer

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

Processes:

33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ResolveUnblock.crw.MafiaWare666	33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectSkip.crw.MafiaWare666	33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe

Loads dropped DLL 1 IoCs

Processes:

33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe

pid	Process
1680	33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1100	1680	WerFault.exe	27

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe

description	pid	Process	procid_target
PID 1680 wrote to memory of 1100	1680	33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe	29
PID 1680 wrote to memory of 1100	1680	33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe	29
PID 1680 wrote to memory of 1100	1680	33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe	29

C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe
"C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1680 -s 704
  2⤵
  - Program crash
  PID:1100

\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

Filesize
39KB

MD5
d80d1b6d9a6d5986fa47f6f8487030e1

SHA1
8f5773bf9eca43b079c1766b2e9f44cc90bd9215

SHA256
446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3

SHA512
9fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc

Download Submit
memory/1100-57-0x0000000000000000-mapping.dmp

Download
memory/1680-54-0x0000000000010000-0x0000000000092000-memory.dmp

Filesize
520KB

Download
memory/1680-55-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download