elysiumstealer | 515cb2b0a7360b6997be2d5a89bb760379349b73a40955012c8d3d6ea0e7b8fb

General

Target

515cb2b0a7360b6997be2d5a89bb760379349b73a40955012c8d3d6ea0e7b8fb.exe
Size

299KB
MD5

9d9f0a5c09073184b4beec958ebfe9b6
SHA1

e5d04abf651fd535382739518b0557ec1bce1602
SHA256

515cb2b0a7360b6997be2d5a89bb760379349b73a40955012c8d3d6ea0e7b8fb
SHA512

1cbd7b815c7076b95cd88c5955b65714f9f023a2117f474f025c515181da0d29540f65154c46d9664a6d66eb211771421942aecc8ba39fe9ea39e88adf14b9fc
SSDEEP

6144:h0grT4pTSzlAQExlPwWtWaMXBLMJsujstDWfRjTfQVPE:eHmCtWX5pAfRjT5

Score

10^/10

elysiumstealer discovery stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023e3e-5.dat	elysiumstealer_dll

Elysiumstealer family
elysiumstealer

Downloads MZ/PE file 1 IoCs

flow	pid	Process
19	4188	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2340	515cb2b0a7360b6997be2d5a89bb760379349b73a40955012c8d3d6ea0e7b8fb.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	515cb2b0a7360b6997be2d5a89bb760379349b73a40955012c8d3d6ea0e7b8fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1488	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	515cb2b0a7360b6997be2d5a89bb760379349b73a40955012c8d3d6ea0e7b8fb.exe

C:\Users\Admin\AppData\Local\Temp\515cb2b0a7360b6997be2d5a89bb760379349b73a40955012c8d3d6ea0e7b8fb.exe
"C:\Users\Admin\AppData\Local\Temp\515cb2b0a7360b6997be2d5a89bb760379349b73a40955012c8d3d6ea0e7b8fb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0FGOUNBRjEtQjk5Ri00MUNCLTk3MTgtRkU2QzI2MjhCOUFDfSIgdXNlcmlkPSJ7NjE3QUE4OUQtNDdEOS00MTdELTgxMTctRUQ2REYyRjNFQkI5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUQ4QUMxOTYtNjU0MC00MjBFLThFMjgtRDU1MEI1MjZBM0IzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTcwODU3MjkyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\wMeow0.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
memory/2340-0-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2340-1-0x0000000000F30000-0x0000000000F80000-memory.dmp

Filesize
320KB

Download
memory/2340-2-0x0000000005840000-0x0000000005852000-memory.dmp

Filesize
72KB

Download
memory/2340-3-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/2340-8-0x00000000060B0000-0x0000000006654000-memory.dmp

Filesize
5.6MB

Download
memory/2340-9-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/2340-10-0x0000000005AD0000-0x0000000005ADA000-memory.dmp

Filesize
40KB

Download
memory/2340-11-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/2340-12-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2340-13-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/2340-14-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing