Overview

overview

10

Static

static

3

Telegram.exe

windows7-x64

7

Telegram.exe

windows10-2004-x64

10

Stub.pyc

windows7-x64

3

Stub.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Telegram.exe

  • Size

    11.3MB

  • Sample

    240616-aclq4avamm

  • MD5

    0c1f9b00dd0c4f36105ee368e80da86c

  • SHA1

    ae0e681ce9e78898bec4da04018fdab3d1e0b381

  • SHA256

    04b6cd2f3048a64bfea4e58c799ed5000235fc64e2fa43db7541723037e85339

  • SHA512

    99c35f31eae87a20a28024b0736479206a88f46e8f278da38122de39da453c6cb1cf50c3c27ae1b7f5ce24f3ae81361f31476525d4d0fef7af1502e9d2176df0

  • SSDEEP

    196608:zU9lyncmtSLurErvI9pWj+NevvoaYZ41JISItNYsCrlx:g+jtSLurEUWjueHo21JuN3clx

Score
10/10
exelastealerevasionpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      Telegram.exe

    • Size

      11.3MB

    • MD5

      0c1f9b00dd0c4f36105ee368e80da86c

    • SHA1

      ae0e681ce9e78898bec4da04018fdab3d1e0b381

    • SHA256

      04b6cd2f3048a64bfea4e58c799ed5000235fc64e2fa43db7541723037e85339

    • SHA512

      99c35f31eae87a20a28024b0736479206a88f46e8f278da38122de39da453c6cb1cf50c3c27ae1b7f5ce24f3ae81361f31476525d4d0fef7af1502e9d2176df0

    • SSDEEP

      196608:zU9lyncmtSLurErvI9pWj+NevvoaYZ41JISItNYsCrlx:g+jtSLurEUWjueHo21JuN3clx

    Score
    10/10
    upxexelastealerevasionpyinstallerspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Stub.pyc

    • Size

      874KB

    • MD5

      6603a3a569f2bd07edecb6e0e94e62fe

    • SHA1

      342396d9e35a2d2090aee83f9490e65da2e1999e

    • SHA256

      771b876f9d185c3b8a9dbd28e3538e9e01e731f8b43fda5f27d8a90c4f96c480

    • SHA512

      c7a8ed4c81d651d6d22392fdd7b4c6ce754da5b1405290e0f8310e53faa660b0b732eb9ec226b7432cbfb030168f76b24ebca0b8c67ba601e5a4497efce78610

    • SSDEEP

      24576:K4+zR7jp3i4lTx1Djce1+Ci3hvNEcVfLOtoCis:y/lnbUs

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks