Overview

overview

10

Static

static

3

Exela.exe

windows10-1703-x64

7

Exela.exe

windows11-21h2-x64

10

Stub.pyc

windows10-1703-x64

3

Stub.pyc

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Exela.exe

  • Size

    17.5MB

  • Sample

    240722-xagqpasbln

  • MD5

    091adbcc3e35eefbb32493278a8fb7de

  • SHA1

    e14f90e01c064190fe586e2a631dd343fc4c2404

  • SHA256

    279a5de1d5a4bb24adf2125e76f20d87a99c90f660ea6e25672fa8b195e68592

  • SHA512

    d0fab0f0a92d7c63e0dad5e63b5036bee661952362f1525ec3ac668d67c553dbb6fc589985483a9aa40982fefc2dd91a7b6ddcdd761696b9cc58334d2f7d7793

  • SSDEEP

    196608:xRtF1sJdPY71DkTeNrYFJMIDJ+gsAGKmSE2R2QgmJqkygWXO:PtI3c1b8Fqy+gsMTXzr

Score
10/10
exelastealerdefense_evasionevasionpersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      Exela.exe

    • Size

      17.5MB

    • MD5

      091adbcc3e35eefbb32493278a8fb7de

    • SHA1

      e14f90e01c064190fe586e2a631dd343fc4c2404

    • SHA256

      279a5de1d5a4bb24adf2125e76f20d87a99c90f660ea6e25672fa8b195e68592

    • SHA512

      d0fab0f0a92d7c63e0dad5e63b5036bee661952362f1525ec3ac668d67c553dbb6fc589985483a9aa40982fefc2dd91a7b6ddcdd761696b9cc58334d2f7d7793

    • SSDEEP

      196608:xRtF1sJdPY71DkTeNrYFJMIDJ+gsAGKmSE2R2QgmJqkygWXO:PtI3c1b8Fqy+gsMTXzr

    Score
    10/10
    upxexelastealerdefense_evasionevasionpersistenceprivilege_escalationpyinstallerspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1behavioral2

    • Target

      Stub.pyc

    • Size

      799KB

    • MD5

      b5538b9d40603d6816590aef2c71f30e

    • SHA1

      aab1cb86da84ef886da30c976c9c56de984393b0

    • SHA256

      0ed0d7ae0151bb5954e491042d8ce5730433bebe2fa9922c3157410076e499cb

    • SHA512

      14d63b8cc238e87992e929336ed3ace9338bfdeb0d26504abbb752fed14e0670a8b4e5a0e178cdb63b92e8a95f12ee10b159b0bae7d51f0a1ab746acffd09d0b

    • SSDEEP

      12288:d+RfL9KYKF8UN9zTMdFd1ZwcCughgkp25jSmfNznHE2T9ODgOy02KlQSnDh3L8:kzgYQjowcCuO5p+GmV7SkK2A4

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks