exelastealer | 0acf9a31d3fbee46692c4a92d867038b6296d72b7d1d24b986d3f558e4cb7c90

General

Target

NNLoader.exe
Size

9.4MB
Sample

240823-21f93athkk
MD5

4ed456dfa36635dabf31d6571c53362f
SHA1

e6cd5d7271f99d04b90736e3e5defd0988f3103b
SHA256

0acf9a31d3fbee46692c4a92d867038b6296d72b7d1d24b986d3f558e4cb7c90
SHA512

337bdf3daa2ee09e2ffac24f549faa9e770bc3938062b5d88eaf2accfc10e9e098c8c7e55a16d4b3316e186b2ae1bb46868aa05c6b1c7b6abc17468c41f0fd15
SSDEEP

196608:kTPCeRqxlEAtJb3tQk5tARHvUWvo3hxjno/w3iFCxHQbRpXJBz23:Hnt7v5tARHdgxro/w3uCxHQb5Z2

Score

10^/10

Malware Config

Targets

- Target
  
  NNLoader.exe
- Size
  
  9.4MB
- MD5
  
  4ed456dfa36635dabf31d6571c53362f
- SHA1
  
  e6cd5d7271f99d04b90736e3e5defd0988f3103b
- SHA256
  
  0acf9a31d3fbee46692c4a92d867038b6296d72b7d1d24b986d3f558e4cb7c90
- SHA512
  
  337bdf3daa2ee09e2ffac24f549faa9e770bc3938062b5d88eaf2accfc10e9e098c8c7e55a16d4b3316e186b2ae1bb46868aa05c6b1c7b6abc17468c41f0fd15
- SSDEEP
  
  196608:kTPCeRqxlEAtJb3tQk5tARHvUWvo3hxjno/w3iFCxHQbRpXJBz23:Hnt7v5tARHdgxro/w3uCxHQb5Z2
Score

10^/10

upx exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2
- Target
  
  Stub.pyc
- Size
  
  799KB
- MD5
  
  1883070249e753167dc78153e2326a4c
- SHA1
  
  73c3d759425f21638e9eeaea0972604fe180f77b
- SHA256
  
  57ed0a05eaca9932d88e48cad88eba55c103cad705f61fa9052b1d9573328d19
- SHA512
  
  f08cd69fd8cc37bdeb3e579c9c6df7dd45fdafa574a7fc74411ef11cbaad06f588dc06b5045da2bfc94244a765fc05cb482a7ab42f5248200ae9ae7690c80cdc
- SSDEEP
  
  24576:4DWVygd6NVH/xPY83LYVqnDmi43hOdXgKt:4JgmUqDFX
Score

3^/10

discovery
behavioral3 behavioral4