elysiumstealer | aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9

Analysis

max time kernel
120s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2023, 20:21 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
Size

5.8MB
MD5

0b566cd0f49271f03dd901d6a1694821
SHA1

47ecb9be8a2999e68e61296d417ac0dc19158bdd
SHA256

aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9
SHA512

04789a779edf6243151bcb9cf7868d494f4105ac357185a718c1764b30896ae3cea6bb4e39d35e75c7e87ab8b5ac2be5875e608206ee10f45e5f95d2e18626cc
SSDEEP

98304:rnQCdFaU/EZ7/CDdbrlFmim58O6aEB6BT:TQCdoU/e7/mdbBJm58

Score

10^/10

elysiumstealer persistence stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022e0b-133.dat	elysiumstealer_dll

Loads dropped DLL 1 IoCs

pid	Process
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\macaddress = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe"	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
536	1568	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe

C:\Users\Admin\AppData\Local\Temp\aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe
"C:\Users\Admin\AppData\Local\Temp\aab76d97453cca0ab33f0fa021484e8eae987bf462dda2d18b2760717a5fa3b9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1468
  2⤵
  - Program crash
  PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1568 -ip 1568
1⤵
PID:3608

Network

No results found

178.79.208.1:80

260 B
5
178.79.208.1:80

260 B
5
20.189.173.15:443

322 B
7
93.184.221.240:80

322 B
7
178.79.208.1:80

322 B
7
178.79.208.1:80

322 B
7
178.79.208.1:80

322 B
7

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
memory/1568-132-0x00000000000B0000-0x0000000000676000-memory.dmp

Filesize
5.8MB

Download
memory/1568-134-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/1568-135-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/1568-136-0x00000000055D0000-0x00000000055DA000-memory.dmp

Filesize
40KB

Download