General
-
Target
waltuhium
-
Size
319KB
-
Sample
240628-ahzj5ssglq
-
MD5
ae6d8b16b72503593cadf7f086115e51
-
SHA1
f9713b1e00aeadd9e32e3a62f3b3dc1b04414bd4
-
SHA256
c06e74d4b6ed84b10a520d3ac9d6bd1c6050976e4d1685bd8932c9e202fa9876
-
SHA512
b95876e7a12241ef2621a674d5e92b9a1409e384c9680936dcd3048b18fb5ff197e038585f4bbc2285a4ca548fb6bedd45c97e10054ee4430371e76ee8258946
-
SSDEEP
6144:+FoQP2n9dH5M2vkm0y3Cl3pId9RZ9PvZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViS:6oQP2n9dH5M2vkm0y3Cl3pId9RZ9PvZW
Malware Config
Targets
-
-
Target
waltuhium
-
Size
319KB
-
MD5
ae6d8b16b72503593cadf7f086115e51
-
SHA1
f9713b1e00aeadd9e32e3a62f3b3dc1b04414bd4
-
SHA256
c06e74d4b6ed84b10a520d3ac9d6bd1c6050976e4d1685bd8932c9e202fa9876
-
SHA512
b95876e7a12241ef2621a674d5e92b9a1409e384c9680936dcd3048b18fb5ff197e038585f4bbc2285a4ca548fb6bedd45c97e10054ee4430371e76ee8258946
-
SSDEEP
6144:+FoQP2n9dH5M2vkm0y3Cl3pId9RZ9PvZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViS:6oQP2n9dH5M2vkm0y3Cl3pId9RZ9PvZW
Score10/10-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
2Service Execution
2Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1