elysiumstealer | 7bcbc81dbfbc85b4c7c40f44931788a814ded426317e6ea9456cc65c37341c92

General

Target

4c37879689505f683c1e07b86b8aa7f2.exe
Size

559KB
MD5

4c37879689505f683c1e07b86b8aa7f2
SHA1

58484777d59af5378002ee6cd686525f26449098
SHA256

7bcbc81dbfbc85b4c7c40f44931788a814ded426317e6ea9456cc65c37341c92
SHA512

0b6615a38a67e922527edc694838afa2e96db58ab4f09c03fdf3e71a49bbab6e74addd54efbdd56a25c2bc8fc74e60d8a58409e2c471421438d3193df88acc74
SSDEEP

6144:5fqHpILYw0mlefjZJnu3GHYKDcOuhHovXIslLMJsd/4TelpDtrRA6Ts5v3FNR3:xq2L7UjX0G/xvwsrSeLlTst3t3

Score

10^/10

elysiumstealer stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Support DLL 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll	elysiumstealer_dll

Loads dropped DLL 1 IoCs

Processes:

4c37879689505f683c1e07b86b8aa7f2.exe

pid process

3008 4c37879689505f683c1e07b86b8aa7f2.exe

Enumerates system info in registry 2 TTPs 35 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

4c37879689505f683c1e07b86b8aa7f2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion = "3.0"	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion = "3.0"	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "PL-8A37"	4c37879689505f683c1e07b86b8aa7f2.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	4c37879689505f683c1e07b86b8aa7f2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Gigabyte GA - A320M - H"	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor = "Phoenix Technologies, Ltd"	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "SCPK9P5R-A"	4c37879689505f683c1e07b86b8aa7f2.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "{5cc6810b-c686-4906-ae31-a5993a4908b4}"	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "{7ae73ada-08df-4894-b839-968bf83b07de}"	4c37879689505f683c1e07b86b8aa7f2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate = "01/02/2016"	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "forl5kpf-A"	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "{492b9d05-c37d-4b38-81b8-89be987f23e8}"	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "A.60"	4c37879689505f683c1e07b86b8aa7f2.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "MSI"	4c37879689505f683c1e07b86b8aa7f2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "{cc14e175-0ac1-4c38-823e-ac149c4792f7}"	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "MSI"	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	4c37879689505f683c1e07b86b8aa7f2.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "2L65QDB3-A"	4c37879689505f683c1e07b86b8aa7f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	4c37879689505f683c1e07b86b8aa7f2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "LQQ1V5VMR1Z65SVIXZAA"	4c37879689505f683c1e07b86b8aa7f2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

4c37879689505f683c1e07b86b8aa7f2.exe

pid	process
3008	4c37879689505f683c1e07b86b8aa7f2.exe
3008	4c37879689505f683c1e07b86b8aa7f2.exe
3008	4c37879689505f683c1e07b86b8aa7f2.exe
3008	4c37879689505f683c1e07b86b8aa7f2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4c37879689505f683c1e07b86b8aa7f2.exe

description pid process

Token: SeDebugPrivilege 3008 4c37879689505f683c1e07b86b8aa7f2.exe

description	pid	process
Token: SeDebugPrivilege	3008	4c37879689505f683c1e07b86b8aa7f2.exe

C:\Users\Admin\AppData\Local\Temp\4c37879689505f683c1e07b86b8aa7f2.exe
"C:\Users\Admin\AppData\Local\Temp\4c37879689505f683c1e07b86b8aa7f2.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
memory/3008-0-0x0000000000130000-0x00000000001C2000-memory.dmp

Filesize
584KB

Download
memory/3008-1-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-2-0x0000000000610000-0x0000000000650000-memory.dmp

Filesize
256KB

Download
memory/3008-3-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/3008-4-0x0000000075AB0000-0x0000000075BC0000-memory.dmp

Filesize
1.1MB

Download
memory/3008-19-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-20-0x0000000075AB0000-0x0000000075BC0000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads