elysiumstealer | 9dda9c2e2576d7f83a72345ad4813740665b8986d8ac7a984b2b6ee663de0739

General

Target

9dda9c2e2576d7f83a72345ad4813740665b8986d8ac7a984b2b6ee663de0739N.exe
Size

299KB
MD5

fe44151d26532fc78123195c70a4db90
SHA1

c48a042883935e286f53201cea731066954152de
SHA256

9dda9c2e2576d7f83a72345ad4813740665b8986d8ac7a984b2b6ee663de0739
SHA512

123ebf66cb1eef1e17746fdff8736de703f688e3a1d6a74f50b9f66dac488e7ce39ba7492d4de61084afcd40a3691cb44c0c18d1421ef8af904cfc84ddb4b8bc
SSDEEP

6144:h0grT4pTSzlAQExlPwWtWaMXBLMJsujstDWfRjTfQVP:eHmCtWX5pAfRjT

Score

10^/10

elysiumstealer discovery stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023e25-5.dat	elysiumstealer_dll

Elysiumstealer family
elysiumstealer

Loads dropped DLL 1 IoCs

pid	Process
3568	9dda9c2e2576d7f83a72345ad4813740665b8986d8ac7a984b2b6ee663de0739N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dda9c2e2576d7f83a72345ad4813740665b8986d8ac7a984b2b6ee663de0739N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2052	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	9dda9c2e2576d7f83a72345ad4813740665b8986d8ac7a984b2b6ee663de0739N.exe

C:\Users\Admin\AppData\Local\Temp\9dda9c2e2576d7f83a72345ad4813740665b8986d8ac7a984b2b6ee663de0739N.exe
"C:\Users\Admin\AppData\Local\Temp\9dda9c2e2576d7f83a72345ad4813740665b8986d8ac7a984b2b6ee663de0739N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDJBNEY1RDItNjQ4Mi00REI4LTk1RjgtNzlBRDU1OEFBNzUyfSIgdXNlcmlkPSJ7NTJENzNEMTEtMEY4QS00QjFDLThGNTctMDc0NjEyOUNCNjhCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUQyQjJDNEEtRUFCMC00NUM4LUI5QzAtQkI5MkE1NTQxMTNBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4MTUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE1MzQzMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDI5ODg3NjI1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\wMeow0.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
memory/3568-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/3568-1-0x0000000000CC0000-0x0000000000D10000-memory.dmp

Filesize
320KB

Download
memory/3568-2-0x00000000016E0000-0x00000000016F2000-memory.dmp

Filesize
72KB

Download
memory/3568-3-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/3568-8-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/3568-9-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/3568-10-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/3568-11-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/3568-12-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/3568-13-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/3568-14-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing