Overview

overview

10

Static

static

3

twstealer-main.zip

windows11-21h2-x64

1

twstealer-...DME.md

windows11-21h2-x64

3

twstealer-...ld.bat

windows11-21h2-x64

3

twstealer-...k.json

windows11-21h2-x64

3

twstealer-...me.exe

windows11-21h2-x64

10

Stub.pyc

windows11-21h2-x64

3

twstealer-...in.pyw

windows11-21h2-x64

3

twstealer-...k.json

windows11-21h2-x64

3

Resubmissions

04-07-2024 15:32

240704-syl8vs1ard 7

04-07-2024 15:27

240704-sv6hbs1apd 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    twstealer-main.zip

  • Size

    12.8MB

  • Sample

    240704-sv6hbs1apd

  • MD5

    41ac7f3a38f52082b8a95a927eeb39af

  • SHA1

    348b3bae32b300d06fa53c4bffd43556d5998f6a

  • SHA256

    e75a8a541aeb8df44cb7904829518dbc08675f9a2f58f0c5f88e130ca67b6a9e

  • SHA512

    8b953613760aa44d1a0ef712117470808f39e174520579a28190ede0d34b95b37e10a12e476bef8395d7af6bb054468b9c23bf4192baa2ac86f2645d41b389df

  • SSDEEP

    393216:s55+jreXFp9OHaumUZeL4AqK5HMBRBzXbmE6XTytYw6Bm:m5kqzOHaumyeL4D80aEoytYPm

Score
10/10
exelastealerdefense_evasionevasionpersistenceprivilege_escalationpyinstallerspywarestealer

Malware Config

Targets

    • Target

      twstealer-main.zip

    • Size

      12.8MB

    • MD5

      41ac7f3a38f52082b8a95a927eeb39af

    • SHA1

      348b3bae32b300d06fa53c4bffd43556d5998f6a

    • SHA256

      e75a8a541aeb8df44cb7904829518dbc08675f9a2f58f0c5f88e130ca67b6a9e

    • SHA512

      8b953613760aa44d1a0ef712117470808f39e174520579a28190ede0d34b95b37e10a12e476bef8395d7af6bb054468b9c23bf4192baa2ac86f2645d41b389df

    • SSDEEP

      393216:s55+jreXFp9OHaumUZeL4AqK5HMBRBzXbmE6XTytYw6Bm:m5kqzOHaumyeL4D80aEoytYPm

    Score
    1/10
    behavioral1

    • Target

      twstealer-main/README.md

    • Size

      213B

    • MD5

      ca590ff76610b5ecf5b5a90358a2f2b5

    • SHA1

      e7419522512ef6b03ada80bc30c1523a6fe96cd1

    • SHA256

      6b2fd37596c512ecf23863f3fe2ff672ce45401c341a55789907c43c5abe7a73

    • SHA512

      b40875f4eb18ab8acc533eb57beaaaf670a7fb0d47c2bbe35f0587e2ae5b6b956ba35447670a00a7ab2b0b40d72990807090f5972651b9c8d18b2088b5e174e7

    Score
    3/10
    behavioral2

    • Target

      twstealer-main/build.bat

    • Size

      751B

    • MD5

      387c2b3b6dcebabab504f79efdfb4ad4

    • SHA1

      069c2b1cd7300ff20fc9122cecd87b5a0c14b7e6

    • SHA256

      6490a8b68e886e637b82bf754184ad3e95e3e0b615564917763e235423af4fb3

    • SHA512

      26b0dc2b5c49800ea13d397d4a5cda3923f5de4cfb34efa3bd3881fc2f1873f21ee49da88b5a85b9e0b4000b27ff494ce838e0bbccb9eba4a1df0a6b35448e7b

    Score
    3/10
    behavioral3

    • Target

      twstealer-main/lib/webhook.json

    • Size

      150B

    • MD5

      31ed9f3bf35897af094ff7d901625f9d

    • SHA1

      232c40e60c83af29c31ecd0b8dc83d29c5b965c3

    • SHA256

      aa63b25fa953477a708d645595f5c63821bb28c35a1f7e755082193dab998559

    • SHA512

      efb698a60e488066172fc21b59e7fe76044a766aec5329af683374282dc2447fd15eb250589367c9a75f6bade3aa67bf0fbf971eaeb624e12fef916f820574b2

    Score
    3/10
    behavioral4

    • Target

      twstealer-main/lib/yourself/runme.exe

    • Size

      13.0MB

    • MD5

      d89113ebc5b873e79d643a542db44f07

    • SHA1

      cecb2c37a4eab3507548716dc80ba22b9e961efa

    • SHA256

      c08f0db9b95cb5772d950e450adf75ac15aeda301496e8cf1184edb30b347f84

    • SHA512

      92eebc88fb990a249d5a89d70e07cca205d05779b53a20aae780892a27d2945be5bdb00c67faec72564c6e5592db77e9e481c6b995810081f985c6864168ff47

    • SSDEEP

      393216:MAct+L01+l+uq+Vvj1+TtIiF90VQxPC7P6gK:MQ01+l+uqgvj1QtINiC7Pa

    Score
    10/10
    exelastealerdefense_evasionevasionpersistenceprivilege_escalationspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral5

    • Target

      Stub.pyc

    • Size

      178KB

    • MD5

      bd3382d5abc08aaa575a290a7ddf89b5

    • SHA1

      76d3c514e0299543c8796c5042f8300c48ea75d0

    • SHA256

      5d3a5ebc72f94585ba39b92cd22481fd0d89d751d58aeb9222f31f6cfedb49ca

    • SHA512

      7d0d62faf1b625180032cd20f37b196e61539c507c0458f7fa0b14cc39ac45b00db667ff3affa10d9f132cb4babb89304b3ad16174ca1c16a9e589e03f5fae5d

    • SSDEEP

      3072:IPGcc87YoHEj0S6njCuGivA0P2RvnxVZ7uuG6ZXG+7VyN4SWO/eM7f2tha01+r:IPGQ7jcvtY2Rvu+7VdQeC4d+r

    Score
    3/10
    behavioral6

    • Target

      twstealer-main/main.pyw

    • Size

      20KB

    • MD5

      4d47365a916e7f6b61f38fc79d707272

    • SHA1

      fc6ff201b90e5b0c133536d9984cc294a607ece2

    • SHA256

      e1b5454597224cca1c48cf91a2031afc87078399453dfee75964250c6149239d

    • SHA512

      5fea27276b98a4325b8e6b5c6cd50cd1a62696c4849d1d7727e395760b5898dd98e2538af43c171504f7a8a0b7103f67a2202676b145757145bb0489a036b152

    • SSDEEP

      192:X09Vpo21VorIJXKSpbF2ZbVbybvzgZILZH//uzEslBbjjZ+A+a/vaMX8BC1fSGDh:E9rrISuEslBAahAq1

    Score
    3/10
    behavioral7

    • Target

      twstealer-main/webhook.json

    • Size

      150B

    • MD5

      31ed9f3bf35897af094ff7d901625f9d

    • SHA1

      232c40e60c83af29c31ecd0b8dc83d29c5b965c3

    • SHA256

      aa63b25fa953477a708d645595f5c63821bb28c35a1f7e755082193dab998559

    • SHA512

      efb698a60e488066172fc21b59e7fe76044a766aec5329af683374282dc2447fd15eb250589367c9a75f6bade3aa67bf0fbf971eaeb624e12fef916f820574b2

    Score
    3/10
    behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks