Overview

overview

10

Static

static

1

twstealer.zip

windows10-2004-x64

1

twstealer.zip

windows11-21h2-x64

1

twstealer/build.bat

windows10-2004-x64

8

twstealer/build.bat

windows11-21h2-x64

10

twstealer/main.pyw

windows10-2004-x64

3

twstealer/main.pyw

windows11-21h2-x64

3

twstealer/...k.json

windows10-2004-x64

3

twstealer/...k.json

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    twstealer.zip

  • Size

    4KB

  • Sample

    240619-wsnfhswaqe

  • MD5

    c17c378903bcfc33bbd3541b026f75ce

  • SHA1

    8a471666a8113b8344074c81317c4bbbc4ec9e05

  • SHA256

    ebf45d7cff6073df8ef7d416fb7a0105db1bc1053b6d3bf2ae81c1e0078c6052

  • SHA512

    c9139a0cc4c96abb933524fa5ffd625a63062cb55dba5e00928f619431534428d1cce8c73aa63091659f678f2162d9b997f845a216300519b78d24163bd4b0fb

  • SSDEEP

    96:YRv1j1trkPoZFhPNX3vtfgKHat7QtFzj1Aosm1TBe4T1:mRTkQZFhPNHVfgKHS4FqopJk4T1

Score
10/10
exelastealerdefense_evasionevasionpersistenceprivilege_escalationpyinstallerspywarestealer

Malware Config

Targets

    • Target

      twstealer.zip

    • Size

      4KB

    • MD5

      c17c378903bcfc33bbd3541b026f75ce

    • SHA1

      8a471666a8113b8344074c81317c4bbbc4ec9e05

    • SHA256

      ebf45d7cff6073df8ef7d416fb7a0105db1bc1053b6d3bf2ae81c1e0078c6052

    • SHA512

      c9139a0cc4c96abb933524fa5ffd625a63062cb55dba5e00928f619431534428d1cce8c73aa63091659f678f2162d9b997f845a216300519b78d24163bd4b0fb

    • SSDEEP

      96:YRv1j1trkPoZFhPNX3vtfgKHat7QtFzj1Aosm1TBe4T1:mRTkQZFhPNHVfgKHS4FqopJk4T1

    Score
    1/10
    behavioral1behavioral2

    • Target

      twstealer/build.bat

    • Size

      692B

    • MD5

      16bd913ad66ea5bbc6c63230548426ea

    • SHA1

      e2296c99f38e8c6653b3b031403d013f967cc863

    • SHA256

      1cb7e51e106f26961e4564ea48e7b718b524af34854c18c500d879812b960200

    • SHA512

      412f904b8f4f084ce9e6e7ec72d6c1980421c26d27007922e96dd87023151d8a5c07f7116ec01b8841f549a038e1bf0fa566de480037887bfb412af8b3cd6b8f

    Score
    10/10
    pyinstallerexelastealerdefense_evasionevasionpersistenceprivilege_escalationspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral3behavioral4

    • Target

      twstealer/main.pyw

    • Size

      11KB

    • MD5

      4613c1511a90aeb0487b07edc3f64ebf

    • SHA1

      781a0c0da65d4d9f75670a688db50c7f9593814e

    • SHA256

      e3b4bc0d574a0ee64c386cb33757b9b5a7487edb2449b4bb25fbb6a24c31d979

    • SHA512

      b738caa7fef1a738df02c03ced79e7c67c06f9c9991390784b9d886639de25cfe6e1834586b9234c87a6b7f56579575e72a92dd8b93f057d7ff5ed469ec0c1c9

    • SSDEEP

      192:Rb1gIrIgBHqFR3bN+2XbFlbHubXa2wAmpEcVxGmRfkJ8B/0j3QPB2W7:hYSGEcVxDC2

    Score
    3/10
    behavioral5behavioral6

    • Target

      twstealer/webhook.json

    • Size

      150B

    • MD5

      66b2da03fe0ced41ef09331954094959

    • SHA1

      714881d5e7c83be5b4d7ae2083fa2b88b44b1ea5

    • SHA256

      0806687b540b4914a259d7b2caf839d0f22c3a00597b42cfac16562ff9e0a73a

    • SHA512

      ca9a990e2a489a146e970da21b68be4626c8064becefb2b44481894aefda7d7246c80725733dd4f8860b8d985d0cb157bb531bc23cf83e1019321fe0c0d3fa1e

    Score
    3/10
    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks