exelastealer | 030b0b50bac29a67a26420b3af6a0cad9819867ba4d660676da3004663868efe | Triage

Resubmissions

03-07-2024 08:49

240703-kq3a4svfqh 10

Sharing

General

Target

fud.exe
Size

61.7MB
Sample

240703-kq3a4svfqh
MD5

5b4e7d4ddd69c309731e35c33e4722a0
SHA1

38a49dd6d0f4cb1b49c20b7f018b6cb05bfae486
SHA256

030b0b50bac29a67a26420b3af6a0cad9819867ba4d660676da3004663868efe
SHA512

0aa980843875fa35852e5ecadee45429653b6a729724b34d1424a622e910b8368b22f5e4a783ba0abb3f48f5069882ded00e0f70d3a3675ec3f3fe1049dd9768
SSDEEP

393216:d76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfYnVQx4urYsANulL7Ng:d0LoCOn+2Ys4urYDNulLBiu8

Score

10^/10

exelastealer defense_evasion evasion execution persistence privilege_escalation pyinstaller spyware stealer

Malware Config

Targets

- Target
  
  fud.exe
- Size
  
  61.7MB
- MD5
  
  5b4e7d4ddd69c309731e35c33e4722a0
- SHA1
  
  38a49dd6d0f4cb1b49c20b7f018b6cb05bfae486
- SHA256
  
  030b0b50bac29a67a26420b3af6a0cad9819867ba4d660676da3004663868efe
- SHA512
  
  0aa980843875fa35852e5ecadee45429653b6a729724b34d1424a622e910b8368b22f5e4a783ba0abb3f48f5069882ded00e0f70d3a3675ec3f3fe1049dd9768
- SSDEEP
  
  393216:d76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfYnVQx4urYsANulL7Ng:d0LoCOn+2Ys4urYDNulLBiu8
Score

10^/10

exelastealer defense_evasion evasion execution persistence privilege_escalation pyinstaller spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Account Manipulation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Account Manipulation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

exelastealerdefense_evasionevasionexecutionpersistenceprivilege_escalationpyinstallerspywarestealer