blankgrabber | 2a64c064af3b4570c916c320e34f2198c82b3278aa31e8a1add59501d97baf9e

Sharing

General

Target

Nexus Checker.zip
Size

16.3MB
Sample

240712-se718a1cjg
MD5

680b953fa6b10a8ad84c2a69e1073cca
SHA1

90d52625a69bc71cbea26030f26b7008694e1834
SHA256

2a64c064af3b4570c916c320e34f2198c82b3278aa31e8a1add59501d97baf9e
SHA512

48bff486d44d6620755e419b09995775353edf71347c3645da3e783acb47dff059ffeebb7d96a3004608dd68d498c15da14e6ac4fbd8ff9bca33d265ddaff6b6
SSDEEP

196608:TRV15IB6ylnlPzf+JiJCsmFMvcn6hVvpqnxzKH/m4SwLRXgWPmpzdhqiYB6yD+K+:YBRlnlPSa7mmvc+cnxze5L1V8d8BR5aP

Score

10^/10

Malware Config

Targets

- Target
  
  Nexus Checker.zip
- Size
  
  16.3MB
- MD5
  
  680b953fa6b10a8ad84c2a69e1073cca
- SHA1
  
  90d52625a69bc71cbea26030f26b7008694e1834
- SHA256
  
  2a64c064af3b4570c916c320e34f2198c82b3278aa31e8a1add59501d97baf9e
- SHA512
  
  48bff486d44d6620755e419b09995775353edf71347c3645da3e783acb47dff059ffeebb7d96a3004608dd68d498c15da14e6ac4fbd8ff9bca33d265ddaff6b6
- SSDEEP
  
  196608:TRV15IB6ylnlPzf+JiJCsmFMvcn6hVvpqnxzKH/m4SwLRXgWPmpzdhqiYB6yD+K+:YBRlnlPSa7mmvc+cnxze5L1V8d8BR5aP
Score

1^/10
behavioral1 behavioral2
- Target
  
  Nexus Checker/Nexus Acc Verifyer.exe
- Size
  
  6.9MB
- MD5
  
  b67e6e2c2fb01f4d40d5812652d41ec3
- SHA1
  
  b562852aee42c86ce3219a953b7a5c7619698696
- SHA256
  
  8e518cdb6657cc1e277c9473866eda5bcaeaeab328b8bf5368ab658be32791de
- SHA512
  
  9a5137a84de557c6fff7ac211190ccac98a92a480f3f5ccc4c15ccc367f202fbae1c1860826d63969009b4832311c5a42fb71117ef3263bf16b8673e3bb0152f
- SSDEEP
  
  98304:FRkwN+MdA5wqM5AKL8MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DoDZDJ1n6hBn7:FRV15IB6ylnlPzf+JiJCsmFMvcn6hVvj
Score

8^/10

upx defense_evasion execution persistence privilege_escalation spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral3 behavioral4
- Target
  
  �G6��.pyc
- Size
  
  1KB
- MD5
  
  8a021cee244a6cdc3e8bd5983c221059
- SHA1
  
  9526b5949c564f8f65fd374695064ea40b7369c1
- SHA256
  
  ee8becf36df0ab81996c8f42afe817bca9182315a42e7f46ff3f2836390e8699
- SHA512
  
  807afc9fbbc5cbdd808e263d153dac96d8840b379304a7b1cca46b3f53c652dadeb2d5b23f3108cf423d9ca9a4efccf8437d393e79f35673e9a7f39460267ce2
Score

1^/10
behavioral5 behavioral6
- Target
  
  Nexus Checker/Nexus Checker.exe
- Size
  
  9.4MB
- MD5
  
  01707a64b226dbfc5c31cf2424946d57
- SHA1
  
  e13e8ca8f4441eb8d46bdc76bfa8dc349cab35a5
- SHA256
  
  135cf2b8b7baf409bace9d55e5cfc71cd5973f465bd8c0a7c60e7bea640e1741
- SHA512
  
  1aa0d93d8e3ee17216bb464b1670681d25b91caac81d71cd78140ab81081bda7d1cd6b6780f5fc7c52ba0a84c2ce412599874b803aaa010d6f66284fb95fc945
- SSDEEP
  
  196608:8qnxzKH/m4SwLRXgWPmpzdhqiYB6yD+KdWryUQI1:tnxze5L1V8d8BR5a
Score

10^/10

upx exelastealer defense_evasion evasion persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral7 behavioral8
- Target
  
  Stub.pyc
- Size
  
  803KB
- MD5
  
  a8a0ac4cd2313eea6dc557a218ea3a93
- SHA1
  
  c9c4afaf48153320001bb288d8dabc15a8456322
- SHA256
  
  6bb789391161f0b409a2efbbc6ebf193e449f595bb6af345abe420b9a90e3568
- SHA512
  
  27f25c9cb48a05457c7cdf44c68e663f607a1d8eccbd7d0d174cc39482082412e3e260c02d1a598c443b8cd38c4b0b35648de884288a19019ee79dd87cf7c7af
- SSDEEP
  
  24576:+rxir6YBEGdwH7Egx/jdNco5CA0JFm9okvjp:C2Y7EJa1
Score

3^/10
behavioral10 behavioral9
- Target
  
  Nexus Checker/README.txt
- Size
  
  949B
- MD5
  
  527eb47b440e622258e6f7b7a5453154
- SHA1
  
  ee84f80132970d9cc1498343d95d86bf6a6977bb
- SHA256
  
  7297f51e6a9f75254e674f3ccc4ba8dbc9d8a57c9e63fd3504430332f5a138c8
- SHA512
  
  10534935422ebb716c318f6039d63d6cccf7eb338ebca646202453ba3475bacef1804fb6aa98be0649513213798944e26d9a9a8c8b08fbc3bab1c26c1767b865
Score

1^/10
behavioral11 behavioral12
- Target
  
  Nexus Checker/config.json
- Size
  
  44B
- MD5
  
  1332014499b6149f2e77aaa675aa655e
- SHA1
  
  d5c5ff8279ead1053c49aa8b9e01c7da6c9f7d1a
- SHA256
  
  aa5c79f55be176639b2cf268aa24053408f9c57771f1213a0e2d2a56506aa855
- SHA512
  
  a5446a979851033c5e6fe17209fdfbabb2fa6bd60d9d21fb178a740d1043a5e7dc842ccd6eb0d1917382d13870172ca7098889af15b6bb7fd7f1e429744f3d1d
Score

3^/10
behavioral13 behavioral14