exelastealer | f74bed37ff39840cd200c8ef355cba1e33495eeb4b2775b60c7c27a161198e90

General

Target

f74bed37ff39840cd200c8ef355cba1e33495eeb4b2775b60c7c27a161198e90
Size

26.0MB
Sample

240818-p6nvwathmd
MD5

a752c46c1fd96de4b52bce8f4b6c73bd
SHA1

341f2e8c51ea222701c10733ae78aea4dfad66a2
SHA256

f74bed37ff39840cd200c8ef355cba1e33495eeb4b2775b60c7c27a161198e90
SHA512

419d9edd0e6daeb0e9c2c82198c26f008b8fcf1513327fe7f29f0acc39f9ba88702051103a8d52b93c7ff186143085fc767f3ead509d12afd7f5148718fa0bcb
SSDEEP

786432:q+pQoh8FaAKRs8NCj4d1ZyjlLQVXaxiYSH:qfB4NRV/Zb0AYSH

Score

10^/10

Malware Config

Extracted

Family

lumma

C2

https://consideratisiqw.shop/api

https://potentioallykeos.shop/api

https://interactiedovspm.shop/api

https://charecteristicdxp.shop/api

https://cagedwifedsozm.shop/api

https://deicedosmzj.shop/api

https://southedhiscuso.shop/api

https://consciousourwi.shop/api

https://tenntysjuxmz.shop/api

Targets

- Target
  
  pynacl/55c2a0e1.exe.vir
- Size
  
  11.9MB
- MD5
  
  9d4be46e4975f6337dc513f325752d70
- SHA1
  
  acd752a934a338aa427fd9dd0b3e9688eeba6d37
- SHA256
  
  55c2a0e161928486a5cccff9546754e4b49f4036a0a3aa3fd9ea46a83ecff62e
- SHA512
  
  96480f02894312130b6894e20f32e4512cfa6e0e07ee4c96c1408923a99361f35ad0d50d36f2347bc638e7364e8ea62fbbdb8c537a887f05e1bdd076ec938342
- SSDEEP
  
  196608:msRg2eCdqyU3b01Kpn3V+uq+VvpoA1HeT39IigQCeE9TFa0Z8DOjCdylVSE96QfU:PeC4dL01+l+uq+Vvz1+TtIiLPY9Z8D8g
Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2
- Target
  
  pynacl/5b330cbe.exe.vir
- Size
  
  27.6MB
- MD5
  
  c1bd7a3ba60147af1caa523749cb3014
- SHA1
  
  074f19762862ecaf9d7c03f31b5b4396106323f1
- SHA256
  
  5b330cbe268be0fa1319bb8a01940c62968cb9a794bbddfc94490787797774ae
- SHA512
  
  3fc160efddc88f6d4f1f262f80618e62de9f4470f5c5b7035ce56d25f8ef7e8e56e34eeeb53b38fcb67d50cd3673fb4aa570bf773a6fd58c5998f5330ca8dcab
- SSDEEP
  
  196608:E15M54yTcFwiTguo3iS7O5GlUOS+UYSa0eCm5:UM+yTcbTg73ffl0s0eh5
Score

10^/10

lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  pynacl/91787447.exe.vir
- Size
  
  6.5MB
- MD5
  
  382d8a9708f98439d3c296793d63678b
- SHA1
  
  5f90f54af337a01024a304f408fad2f0de3e1c1e
- SHA256
  
  9178744797c11ca97840d5cf988b386f717fc5bedd19c125c0bff3d3e00e7816
- SHA512
  
  5f6634fa837a1df802fa0244591cd67301ce67ef4d13630f93830f7288bdc6c5ff544a66c638071b7235245629f00c477d56fd3edf0d0c61a70fb65d9c02d496
- SSDEEP
  
  196608:dvhQx028VugjZmEO6AyN/CBI5GnCeQHBxjsTnS1oebw:dJK02mb/xCixAe3c
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral5 behavioral6