General

  • Target

    Boostrapper.exe

  • Size

    17.7MB

  • Sample

    240902-bfcs2axbmq

  • MD5

    3a8ef52672f6cd1f335beeb2b28e57c6

  • SHA1

    4fb4e48927a7b5625e62068ebb37b87e55ac3b43

  • SHA256

    e488fa0094d9dc11a6cca45d62031f51d8921ec21365d20c49704454f4242c8a

  • SHA512

    d1ec22e5e2ad1e2102b1d74dce0e4513d1253140ed7bf711e9683f5bcbebbbb10847e4c7910c4d20fa80c85fa08abb96ae4680589f8ebcb134e1156042c73fd0

  • SSDEEP

    393216:MvBDEiRnbX8FogxJKehpUqlRs6Uy/pWu4kRzLrsrF:MJDE0bsFogiCYy/pWJF

Malware Config

Targets

    • Target

      Boostrapper.exe

    • Size

      17.7MB

    • MD5

      3a8ef52672f6cd1f335beeb2b28e57c6

    • SHA1

      4fb4e48927a7b5625e62068ebb37b87e55ac3b43

    • SHA256

      e488fa0094d9dc11a6cca45d62031f51d8921ec21365d20c49704454f4242c8a

    • SHA512

      d1ec22e5e2ad1e2102b1d74dce0e4513d1253140ed7bf711e9683f5bcbebbbb10847e4c7910c4d20fa80c85fa08abb96ae4680589f8ebcb134e1156042c73fd0

    • SSDEEP

      393216:MvBDEiRnbX8FogxJKehpUqlRs6Uy/pWu4kRzLrsrF:MJDE0bsFogiCYy/pWJF

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Modifies Windows Firewall

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks