elysiumstealer | be14698dddf38be027a4f4178b4f33d5d98e14f879064812a15e54c1eee91cb5

Analysis

max time kernel
106s
max time network
100s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-11-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoCry Ransomware Builder 2021.rar.zip
Size

7.9MB
MD5

fb5356fb440dcf8013e39c891d626d90
SHA1

1263f585f64b7fb55ee735c92a562f2fa0882b18
SHA256

be14698dddf38be027a4f4178b4f33d5d98e14f879064812a15e54c1eee91cb5
SHA512

1809ae1b8efbe7197b179187c7a1df8b69432b3ff398277a5a5230ec7f9e9f2f40ea1a430118d22a0eb345d7c97ad8adde09c91a09f5c9cb98a5fc552ba16f7a
SSDEEP

196608:5Cxn100Yr+gjTFg9mcYBHexffSfpvbAF/Zvp0lE8gFVEzfnPoOK6CX:UuKgvEmcYB+5A1bez0lE8gFVETsPX

Score

10^/10

elysiumstealer discovery spyware stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002aad1-33.dat	elysiumstealer_dll

Elysiumstealer family
elysiumstealer

Executes dropped EXE 1 IoCs

pid	Process
5556	NoCry Ransomware Builder.exe

Loads dropped DLL 4 IoCs

pid	Process
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoCry Ransomware Builder.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe
5556	NoCry Ransomware Builder.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
444	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	444	7zFM.exe
Token: 35	444	7zFM.exe
Token: SeSecurityPrivilege	444	7zFM.exe
Token: SeSecurityPrivilege	444	7zFM.exe
Token: SeDebugPrivilege	5556	NoCry Ransomware Builder.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
444	7zFM.exe
444	7zFM.exe
444	7zFM.exe
444	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NoCry Ransomware Builder 2021.rar.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3532

C:\Users\Admin\Desktop\NoCry Ransomware Builder 2021\NoCry Ransomware Builder.exe
"C:\Users\Admin\Desktop\NoCry Ransomware Builder 2021\NoCry Ransomware Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
C:\Users\Admin\Desktop\NoCry Ransomware Builder 2021\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Users\Admin\Desktop\NoCry Ransomware Builder 2021\NoCry Ransomware Builder.exe

Filesize
7.1MB

MD5
d15f2df43b25f5534336339b37b49ea8

SHA1
0c048d1a86ef468625403b6c1e117e82d3602422

SHA256
1aefedf48ed1b83203f997868822de9950ec2d965aaa386d83ec658ca8f48431

SHA512
b4766962f2a8279289d3c9f42d8e2e4c8222dae6db79fd0b62922e2174fa8f081c1ab53510ca64f6e70e53587017a0fb447b86652b6d0299b4e202a34f8f7698

Download Submit
C:\Users\Admin\Desktop\NoCry Ransomware Builder 2021\SQLite.Interop.dll

Filesize
1.2MB

MD5
1d5041dc5a86b787d9701b78a9e0b121

SHA1
88873d0af22c924869f8c10c46e9b8f765d9b998

SHA256
4870018813eff9a5b050044c5eb639bb3e536ec1cd3ad03da389b83216c0f4d5

SHA512
65b10e3ed76886d6649b9d7a13d9072cc6ee4026632ad588551020df634d065f30691f62b394da96eaf870226dc8272a04b92648c999fc7329573a9e2383af4b

Download Submit
memory/5556-28-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/5556-31-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/5556-36-0x0000000005FE0000-0x0000000006586000-memory.dmp

Filesize
5.6MB

Download
memory/5556-37-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/5556-38-0x0000000005A10000-0x0000000005A1A000-memory.dmp

Filesize
40KB

Download
memory/5556-39-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/5556-45-0x00000000091E0000-0x0000000009537000-memory.dmp

Filesize
3.3MB

Download
memory/5556-30-0x0000000005400000-0x000000000540C000-memory.dmp

Filesize
48KB

Download
memory/5556-29-0x0000000000290000-0x00000000009A2000-memory.dmp

Filesize
7.1MB

Download
memory/5556-44-0x00000000091B0000-0x00000000091D2000-memory.dmp

Filesize
136KB

Download
memory/5556-46-0x0000000009570000-0x00000000095BC000-memory.dmp

Filesize
304KB

Download
memory/5556-47-0x0000000009610000-0x0000000009660000-memory.dmp

Filesize
320KB

Download
memory/5556-43-0x0000000008B10000-0x0000000008BB8000-memory.dmp

Filesize
672KB

Download
memory/5556-51-0x0000000009820000-0x000000000985C000-memory.dmp

Filesize
240KB

Download
memory/5556-52-0x00000000097E0000-0x0000000009801000-memory.dmp

Filesize
132KB

Download
memory/5556-55-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/5556-56-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/5556-57-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download