exelastealer | 9c76f803b0d97557c9717e89edaaf5dc0b73e39c729e163c5512951f7eed70f0 | Triage

Sharing

General

Target

7094d958e40adecae2f5d2e5f2856911.bin
Size

14.4MB
Sample

240623-ct5xeazdnk
MD5

7094d958e40adecae2f5d2e5f2856911
SHA1

4621bd0dd10144126900357d6efe842cf66c8088
SHA256

9c76f803b0d97557c9717e89edaaf5dc0b73e39c729e163c5512951f7eed70f0
SHA512

9004462febdfef58b6ecfb7374382d28d73cd78421749975b6412f40f69b063ff75a613b4f8f6f5b9af9680c4a89aef1c35d5483701533889038ca50277a9d0f
SSDEEP

393216:NQdqCGJWQsUcR4NzBdQJlNwF3MnG3xl/N6d9EAsn/rIWeRaPMHTy:NqOYQF5dQU3MGXgrjG0R9z

Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation pyinstaller spyware stealer

Malware Config

Targets

- Target
  
  7094d958e40adecae2f5d2e5f2856911.bin
- Size
  
  14.4MB
- MD5
  
  7094d958e40adecae2f5d2e5f2856911
- SHA1
  
  4621bd0dd10144126900357d6efe842cf66c8088
- SHA256
  
  9c76f803b0d97557c9717e89edaaf5dc0b73e39c729e163c5512951f7eed70f0
- SHA512
  
  9004462febdfef58b6ecfb7374382d28d73cd78421749975b6412f40f69b063ff75a613b4f8f6f5b9af9680c4a89aef1c35d5483701533889038ca50277a9d0f
- SSDEEP
  
  393216:NQdqCGJWQsUcR4NzBdQJlNwF3MnG3xl/N6d9EAsn/rIWeRaPMHTy:NqOYQF5dQU3MGXgrjG0R9z
Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Account Manipulation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Account Manipulation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

exelastealerdefense_evasionevasionpersistenceprivilege_escalationspywarestealer