elysiumstealer | 1070b4766e0979a8e15ddbd3d0ba27a9d05272027b3a20eaaf9c9fd854f2def7

Analysis

max time kernel
53s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2023 22:56

Target

Netflix Tools PACK/Netflix Tools PACK/Netflix Checker Shitter By Team-Otimus V3.0/Team-Otimus V3.0/Shitter 3.0.exe
Size

2.0MB
MD5

328363afedfb05a045788fc37273ab0b
SHA1

38a3e9d74af2b746382c8fab5666cac1b0300297
SHA256

ee7666c6cd823b082bfd9ecc8fe2c090e23e4882da3759c3d07bd5d8ade47790
SHA512

5db66eb7275c6f127117dc25612dc3fbd3ffc129057498ae2fe125526b95cf17e3a4fe56f58d72c10ec21c54e13a9aac182c3c35727219fa0f86f4e030d8f448
SSDEEP

49152:YVfVEVFItr7yP/jxsvShLOyVQDnPP9oqi:YVfVEVFY78LxsahL3iDnP

Score

10^/10

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Support DLL 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll	elysiumstealer_dll

Loads dropped DLL 1 IoCs

Processes:

Shitter 3.0.exe

pid process

1708 Shitter 3.0.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3472 1708 WerFault.exe Shitter 3.0.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Shitter 3.0.exe

description pid process

Token: SeDebugPrivilege 1708 Shitter 3.0.exe

pid	process
1708	Shitter 3.0.exe

pid	pid_target	process	target process
3472	1708	WerFault.exe	Shitter 3.0.exe

description	pid	process
Token: SeDebugPrivilege	1708	Shitter 3.0.exe

C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1096
  2⤵
  - Program crash
  PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1708 -ip 1708
1⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
memory/1708-133-0x0000000000D40000-0x0000000000F44000-memory.dmp

Filesize
2.0MB

Download
memory/1708-134-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/1708-139-0x00000000059B0000-0x0000000005A4C000-memory.dmp

Filesize
624KB

Download
memory/1708-140-0x0000000006000000-0x00000000065A4000-memory.dmp

Filesize
5.6MB

Download
memory/1708-141-0x0000000005AF0000-0x0000000005B82000-memory.dmp

Filesize
584KB

Download
memory/1708-142-0x0000000005A60000-0x0000000005A6A000-memory.dmp

Filesize
40KB

Download
memory/1708-143-0x0000000005C80000-0x0000000005CD6000-memory.dmp

Filesize
344KB

Download