Overview

overview

10

Static

static

3

Loader.exe

windows7-x64

7

Loader.exe

windows10-2004-x64

10

diaguard.dll

windows7-x64

1

diaguard.dll

windows10-2004-x64

1

msys-2.0.dll

windows7-x64

7

msys-2.0.dll

windows10-2004-x64

10

tmpD01A.dll

windows7-x64

1

tmpD01A.dll

windows10-2004-x64

1

vcruntime140.dll

windows7-x64

1

vcruntime140.dll

windows10-2004-x64

1

winAPI.exe

windows7-x64

7

winAPI.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vanta.zip

  • Size

    12.4MB

  • Sample

    240805-nmcstsvdmr

  • MD5

    e0b292c28644804ff4c4d3f8d3bdf815

  • SHA1

    d58d841d0b941fc97fede7456e443b8e684b9aef

  • SHA256

    3142e7f71f6344d637ee37a74050c862a3948c8b54d4896235af9aa418a6ee12

  • SHA512

    36d3447f415fc9512fd751bad7bbd7c268e4cb77a416154f3d7a3fa0e8fdf8ca3d9d1ad868e16f1181fb8c1db95a3e955f9cf5d7bed7b7813333919852eeb2c8

  • SSDEEP

    393216:Uc5g49zuwB3GMNdOqlsm9dJteVDnGZvrOW:Umg49zD9ZLlsm9zteVDGZB

Score
10/10
exelastealercollectioncredential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      Loader.exe

    • Size

      53KB

    • MD5

      f323bb458ecbd21acdddd5ea770e775f

    • SHA1

      9b04a6ea2e6efcc81d344f6425928c5700e9a3f6

    • SHA256

      4030427f5e93a3cbb5072fe12afb02a4cb6447a4d0061b4dc9f71fdb783ab926

    • SHA512

      ca08182341611a89da1f4c90efbd065691a551e68d534ed509bf3ffca8d821362be14b175cfb8378fc2199432938c1d3e63524d9424802a37c0435467a5dabe2

    • SSDEEP

      768:ZId0rRueeCTXZJa0CMpWBUlNP/hA8OE2fbsE/g0+EFiRs:ZId+KQXZPCiWBU8fAL5eim

    Score
    10/10
    pyinstallerupxexelastealercollectioncredential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies Windows Firewall

      evasion

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1behavioral2

    • Target

      diaguard.dll

    • Size

      323KB

    • MD5

      1b3a0b66a70b6b74666ac923fcd20d31

    • SHA1

      52f0c36087a4260688edec6577590b376b4700a3

    • SHA256

      3638b6d7cdd4828f5e53a314756b88f19da36aaa812eb6889a10f3f55860b85e

    • SHA512

      fc28b60a32ef3362573022f5ba08fb48c037086a57b77d38ff01b87af69ffdf1e8d4d6ef69b63852d71cdc9a0f6153d632e9fe1c4f69b67c83ae5a9a54835179

    • SSDEEP

      6144:htoTifGdN3JVghfnfxKEh15YILfR5vzzFiKMoJwV50DErmQeX:PoTifEJVyt5YIDbz3D

    Score
    1/10
    behavioral3behavioral4

    • Target

      msys-2.0.dll

    • Size

      88KB

    • MD5

      bc28ce9500491be20df85d4cf2b823f1

    • SHA1

      d25389e205f09659e579e0582447f146ca2f8674

    • SHA256

      282a5d95421706a6934034f41b5715329219f3120d974f5feeaef33b908de225

    • SHA512

      b122350555a2f16cc4aeae15f2aff8ff360658e2d6e0d6f4c1c01d09cdec529405fbf615263ed17032891464368d908ab6762a5bc123f25473e9b8abdf437ca2

    • SSDEEP

      1536:zsnsTDMfCgjgibbqJ7tJ2Lr/lWzv0EH80OrxECICtfyeL5eim:InOo6yOJRJ2X/czv0EH80OrxE9CtfyeC

    Score
    10/10
    pyinstallerupxexelastealercollectioncredential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral5behavioral6

    • Target

      tmpD01A.dll

    • Size

      3.5MB

    • MD5

      1a201cec87e2370a08dc00acc065501a

    • SHA1

      02ff14bbb59d380cc8e7ffea711d978248bfcb83

    • SHA256

      709f39277a3393fbdb4349bb19b80e2d976dd8926d6fcbe0e59d699338846016

    • SHA512

      e80e75a672807dfa1da6002bb02e8024eaadb75f79f22c40c72c82c213d99b3f4dcdeb963a7587c0a5532fa8b6c53e9ac6eb512fc422d654191215e266eef1e1

    • SSDEEP

      98304:UMoiKk/w5lfGCSlKNS48Rzp3roT91u7MHLzV0ZghXVp2vGmB:8iKk/9CSlKNvq

    Score
    1/10
    behavioral7behavioral8

    • Target

      vcruntime140.dll

    • Size

      116KB

    • MD5

      699dd61122d91e80abdfcc396ce0ec10

    • SHA1

      7b23a6562e78e1d4be2a16fc7044bdcea724855e

    • SHA256

      f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

    • SHA512

      2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

    • SSDEEP

      1536:KqvQFDdwFBHKaPX8YKpWgeQqbekRG7MP4ddbsecbWcmpCGa3QFzFtjXzp:KqvQFDUXqWn7CkRG7YecbWb9a3kDX9

    Score
    1/10
    behavioral10behavioral9

    • Target

      winAPI.dll

    • Size

      28.5MB

    • MD5

      a6c1b27e646cf5904a69e45ffc8808d5

    • SHA1

      7cbafd874594bf3ee91cc49d7fa8ec686b4cad80

    • SHA256

      d9cd6884ad7518018efaa52cde9c0ed46fba959e9ea093c97e68004dbf2cad66

    • SHA512

      b55adebe3be59f15eb66a80d2b328d20e3a7fb1aa8d666e37195855f0a510e9abaefe0ad58ec20e14b1d3426995c9e54c6fe9491704db44931a2777eb5e8c2c8

    • SSDEEP

      393216:Em+sFHI7EzNFAUYl8XRQo/gCcT5NB35jmxEsYAwD6UWsNWcxjQl:Em+GCl3nNWclM

    Score
    10/10
    pyinstallerupxexelastealercollectioncredential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks