exelastealer | e6c7ba11549261c7f3a3bafcd18fb8b60c0ccffa3ea6bf05eefc282c869a63a9 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

Xylex-100%...ex.bat

windows7-x64

Xylex-100%...ex.bat

windows10-2004-x64

Sharing

General

Target

e6c7ba11549261c7f3a3bafcd18fb8b60c0ccffa3ea6bf05eefc282c869a63a9
Size

313B
Sample

240602-3dp45aca87
MD5

a0770dfa1bc82a8292d1611a8e760f01
SHA1

0103b9080d1f214d6b8e561f700ecb785da26d8e
SHA256

e6c7ba11549261c7f3a3bafcd18fb8b60c0ccffa3ea6bf05eefc282c869a63a9
SHA512

088b92930b979ee99f8b29c93fe52cf71048bf2e4b66a03688d0a7c08ae95ceb4e922c38acf045bf78889de1f69649f1da5efac9bb5755618c58c643d9775108

Score

10^/10

exelastealer evasion pyinstaller spyware stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

Xylex-100% Unc/xylex.bat

Resource

win7-20240508-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

Xylex-100% Unc/xylex.bat

Resource

win10v2004-20240508-en

exelastealer evasion pyinstaller spyware stealer upx

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe

Targets

- Target
  
  Xylex-100% Unc/xylex.bat
- Size
  
  244B
- MD5
  
  ac122c56306baae12bc1dbc69455249a
- SHA1
  
  8f7be0cb0c88260843111257c349f5e2a0fa5b1a
- SHA256
  
  702d2a9930bf8d16752c3dbe1d5b5382c592c13e85e54fe0cd59df2ad4f764db
- SHA512
  
  a66df3c5a8c21561dad7ffba4eecc132fce6388797dabdd63eaa6d077d8ebf0298a0220331b0a8f28208a80f1b4cf3ec1ce74a76cf61b428bf03f2d2e637951b
Score

10^/10

exelastealer evasion pyinstaller spyware stealer upx
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Account Manipulation

Create or Modify System Process

Windows Service

Privilege Escalation

Account Manipulation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

exelastealerevasionpyinstallerspywarestealerupx

© 2018-2025

Terms | Privacy