General
-
Target
Bat Ayar.bat
-
Size
684B
-
Sample
240524-q5b1csgc94
-
MD5
26bfcd76c6d78dccdf22716f13087ec6
-
SHA1
07e02f656c097569c29f7d01e76632d0b90fd3d9
-
SHA256
6eba1ec75ca86382fddebdca5e2ac3c00e0793af58ff74b9e9042f7297cbb214
-
SHA512
0696ec540605451d7888840c9e59a4711a6585302f8f69a3c3032aba72c689ca087918fe1c4f96e6943689f5f21178be68711980db8eb19f12dfe29854bbfeb9
Static task
static1
Behavioral task
behavioral1
Sample
Bat Ayar.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Bat Ayar.bat
Resource
win10v2004-20240426-en
Malware Config
Targets
-
-
Target
Bat Ayar.bat
-
Size
684B
-
MD5
26bfcd76c6d78dccdf22716f13087ec6
-
SHA1
07e02f656c097569c29f7d01e76632d0b90fd3d9
-
SHA256
6eba1ec75ca86382fddebdca5e2ac3c00e0793af58ff74b9e9042f7297cbb214
-
SHA512
0696ec540605451d7888840c9e59a4711a6585302f8f69a3c3032aba72c689ca087918fe1c4f96e6943689f5f21178be68711980db8eb19f12dfe29854bbfeb9
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1