exelastealer | 7d95f2dbdfffd9227cc5832d6ee21c385a18c43b4155edc3a9fc1d988c63bf78

General

Target

Rebel.zip
Size

21.3MB
Sample

240821-we1hxswbkp
MD5

a9961347c2bf461935d49b18c44de4d8
SHA1

b0e6467d491a08800c5ba22c850150f12f9469e9
SHA256

7d95f2dbdfffd9227cc5832d6ee21c385a18c43b4155edc3a9fc1d988c63bf78
SHA512

3f1fff87139c40c36d73a84067b0b6714a2899d4d15207c9def07ddb70ae1aeb718546fc1e7092b3e709fe5cf0022be716f4bef937d89d4edab0d1f4c23bc1ea
SSDEEP

393216:N1gER06ohhz3+cMDTvxqIDhVYZT/cXP+Z/ZRcWOt2nZLOhpLD4PJUF8XlhlchC3c:N1Elh9Mv0ahKh0faTcOn1OhpP4RUF8Ve

Score

10^/10

Malware Config

Targets

- Target
  
  Rebel/Bin/Injector.exe
- Size
  
  4.8MB
- MD5
  
  8da7ffaee1e5988d56e536d37a5e5d7d
- SHA1
  
  ed799e5ec866ec3dff0bffb306de4b1ab2ca2361
- SHA256
  
  7450c90fad1d9ed73652c7fee391adb41ee2c62d5d43f3bdcab945e3fdec5485
- SHA512
  
  34579bfbee7ec802322b12cc91276dc440d2df63d8e02b55ec303a19b4a198810a97157cf82739d0c30a509928d797142cee133aec994f0c8f5c58c5a6aebd16
- SSDEEP
  
  98304:2sscM3M0egRUUYdiVF0Zx5NMEuRdvwp1cpY1t83Szkkak0jIiGELfHNz:Vrf0egyUKiVF0rF+dmcQtQSzkkakuR7V
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Rebel/RebelCracked.exe
- Size
  
  12.0MB
- MD5
  
  f000635d073452067c4cb62e5b86dc89
- SHA1
  
  9b0738a6b5ef860f99b1c1c63051ec9df64c00ad
- SHA256
  
  11b8d77615bf67f99ff344792f5739eb73157866f548c59ebcfcac70d5a6ef88
- SHA512
  
  ae3627afaf1678cf9707ebc97aa0f052ec9cda45e278edc8ca58236ff39c034f65d5391071545188bbe8ea5a6ca863cf9a52c03e334d7edd2f52889d25ebf6e6
- SSDEEP
  
  196608:pUOSVLnGmLiOwurZtOtvPpEujDSRZjBybLqDDFZhZNSvg23fQnXXOw8sUl6Q/+qS:peVLGQiJurZtO71jDSvVyXqfFbZCbQfL
Score

10^/10

discovery execution pyinstaller upx exelastealer collection credential_access defense_evasion evasion spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral3 behavioral4