exelastealer | 3142e7f71f6344d637ee37a74050c862a3948c8b54d4896235af9aa418a6ee12

Sharing

General

Target

Vanta Public.zip
Size

12.4MB
Sample

240726-2n85basgjg
MD5

e0b292c28644804ff4c4d3f8d3bdf815
SHA1

d58d841d0b941fc97fede7456e443b8e684b9aef
SHA256

3142e7f71f6344d637ee37a74050c862a3948c8b54d4896235af9aa418a6ee12
SHA512

36d3447f415fc9512fd751bad7bbd7c268e4cb77a416154f3d7a3fa0e8fdf8ca3d9d1ad868e16f1181fb8c1db95a3e955f9cf5d7bed7b7813333919852eeb2c8
SSDEEP

393216:Uc5g49zuwB3GMNdOqlsm9dJteVDnGZvrOW:Umg49zD9ZLlsm9zteVDGZB

Score

10^/10

Malware Config

Targets

- Target
  
  Loader.exe
- Size
  
  53KB
- MD5
  
  f323bb458ecbd21acdddd5ea770e775f
- SHA1
  
  9b04a6ea2e6efcc81d344f6425928c5700e9a3f6
- SHA256
  
  4030427f5e93a3cbb5072fe12afb02a4cb6447a4d0061b4dc9f71fdb783ab926
- SHA512
  
  ca08182341611a89da1f4c90efbd065691a551e68d534ed509bf3ffca8d821362be14b175cfb8378fc2199432938c1d3e63524d9424802a37c0435467a5dabe2
- SSDEEP
  
  768:ZId0rRueeCTXZJa0CMpWBUlNP/hA8OE2fbsE/g0+EFiRs:ZId+KQXZPCiWBU8fAL5eim
Score

10^/10

pyinstaller upx exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies Windows Firewall
  evasion
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2
- Target
  
  diaguard.dll
- Size
  
  323KB
- MD5
  
  1b3a0b66a70b6b74666ac923fcd20d31
- SHA1
  
  52f0c36087a4260688edec6577590b376b4700a3
- SHA256
  
  3638b6d7cdd4828f5e53a314756b88f19da36aaa812eb6889a10f3f55860b85e
- SHA512
  
  fc28b60a32ef3362573022f5ba08fb48c037086a57b77d38ff01b87af69ffdf1e8d4d6ef69b63852d71cdc9a0f6153d632e9fe1c4f69b67c83ae5a9a54835179
- SSDEEP
  
  6144:htoTifGdN3JVghfnfxKEh15YILfR5vzzFiKMoJwV50DErmQeX:PoTifEJVyt5YIDbz3D
Score

1^/10
behavioral3 behavioral4
- Target
  
  msys-2.0.dll
- Size
  
  88KB
- MD5
  
  bc28ce9500491be20df85d4cf2b823f1
- SHA1
  
  d25389e205f09659e579e0582447f146ca2f8674
- SHA256
  
  282a5d95421706a6934034f41b5715329219f3120d974f5feeaef33b908de225
- SHA512
  
  b122350555a2f16cc4aeae15f2aff8ff360658e2d6e0d6f4c1c01d09cdec529405fbf615263ed17032891464368d908ab6762a5bc123f25473e9b8abdf437ca2
- SSDEEP
  
  1536:zsnsTDMfCgjgibbqJ7tJ2Lr/lWzv0EH80OrxECICtfyeL5eim:InOo6yOJRJ2X/czv0EH80OrxE9CtfyeC
Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral5 behavioral6
- Target
  
  tmpD01A.dll
- Size
  
  3.5MB
- MD5
  
  1a201cec87e2370a08dc00acc065501a
- SHA1
  
  02ff14bbb59d380cc8e7ffea711d978248bfcb83
- SHA256
  
  709f39277a3393fbdb4349bb19b80e2d976dd8926d6fcbe0e59d699338846016
- SHA512
  
  e80e75a672807dfa1da6002bb02e8024eaadb75f79f22c40c72c82c213d99b3f4dcdeb963a7587c0a5532fa8b6c53e9ac6eb512fc422d654191215e266eef1e1
- SSDEEP
  
  98304:UMoiKk/w5lfGCSlKNS48Rzp3roT91u7MHLzV0ZghXVp2vGmB:8iKk/9CSlKNvq
Score

1^/10
behavioral7 behavioral8
- Target
  
  vcruntime140.dll
- Size
  
  116KB
- MD5
  
  699dd61122d91e80abdfcc396ce0ec10
- SHA1
  
  7b23a6562e78e1d4be2a16fc7044bdcea724855e
- SHA256
  
  f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1
- SHA512
  
  2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff
- SSDEEP
  
  1536:KqvQFDdwFBHKaPX8YKpWgeQqbekRG7MP4ddbsecbWcmpCGa3QFzFtjXzp:KqvQFDUXqWn7CkRG7YecbWb9a3kDX9
Score

1^/10
behavioral10 behavioral9
- Target
  
  winAPI.dll
- Size
  
  28.5MB
- MD5
  
  a6c1b27e646cf5904a69e45ffc8808d5
- SHA1
  
  7cbafd874594bf3ee91cc49d7fa8ec686b4cad80
- SHA256
  
  d9cd6884ad7518018efaa52cde9c0ed46fba959e9ea093c97e68004dbf2cad66
- SHA512
  
  b55adebe3be59f15eb66a80d2b328d20e3a7fb1aa8d666e37195855f0a510e9abaefe0ad58ec20e14b1d3426995c9e54c6fe9491704db44931a2777eb5e8c2c8
- SSDEEP
  
  393216:Em+sFHI7EzNFAUYl8XRQo/gCcT5NB35jmxEsYAwD6UWsNWcxjQl:Em+GCl3nNWclM
Score

10^/10

pyinstaller upx exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral11 behavioral12

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Targets

Exela Stealer

Credentials from Password Stores: Credentials from Web Browsers

Grants admin privileges

Clipboard Data

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Looks up external IP address via web service

Modifies Windows Firewall

Network Service Discovery

Enumerates processes with tasklist

Hide Artifacts: Hidden Files and Directories

Exela Stealer

Credentials from Password Stores: Credentials from Web Browsers

Grants admin privileges

Modifies Windows Firewall

Clipboard Data

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Looks up external IP address via web service

Network Service Discovery

Enumerates processes with tasklist

Hide Artifacts: Hidden Files and Directories

Exela Stealer

Credentials from Password Stores: Credentials from Web Browsers

Grants admin privileges

Modifies Windows Firewall

Clipboard Data

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Looks up external IP address via web service

Network Service Discovery

Enumerates processes with tasklist

Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12