Overview

overview

10

Static

static

3

b76d4867e6...4b.exe

windows7-x64

7

b76d4867e6...4b.exe

windows10-2004-x64

10

b76d4867e6...4b.exe

windows11-21h2-x64

10

prebuild.pyc

windows7-x64

3

prebuild.pyc

windows10-2004-x64

3

prebuild.pyc

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    18819746574.zip

  • Size

    12.1MB

  • Sample

    240903-ml8y7svhne

  • MD5

    4cc0211ec6af6d9519652a58dd55179a

  • SHA1

    7e97ee2ed8e3e15d9e617faebe0e2cd94d4e46b3

  • SHA256

    098cf009334d253d3296fd1014458cd0fd4f7af1c98b504776206192d6183008

  • SHA512

    0015b689719be6281f2855714448491dc756259b242fe592f8e4237b4054d516438c1bd495fa95da39a88ad6a53648ce3ba6382adec905bf351fbf60a1a0c6ac

  • SSDEEP

    196608:MmxaI4UL9cIc7KUrnG7JF+uc7xJTO6EreypPywkZ0IUj24PKSOHc46wJBtwZmEfb:M3zUpcSM17x9ODNgZ05KjlJoHT

Score
10/10
exelastealercollectioncredential_accessdiscoveryevasionpersistenceprivilege_escalationpyinstallerspywarestealer

Malware Config

Targets

    • Target

      b76d4867e61e27582537c783675765cf17d1929faa1a03056f1d67bb7a5b764b

    • Size

      12.2MB

    • MD5

      45acfd027045f4865fa173b9f9a54dcd

    • SHA1

      59960f9e5bf924e1df86a213cf712c5e37b8f560

    • SHA256

      b76d4867e61e27582537c783675765cf17d1929faa1a03056f1d67bb7a5b764b

    • SHA512

      55ead3a90ed2019a52c0d4c3fe238b1ff95a935c6ff73428fb28fc9567a7a0f268b72e041e02690da8fc2bc11ec7cd0ba54e3345b3da7ab65eccc6a0f69c9a6c

    • SSDEEP

      393216:IQdqyL01+l+uq+Vv2dQJlewF3MnG3xl5OBsnarIWeRaDH:Iq/01+l+uqgv2dQT3MGx2GVRq

    Score
    10/10
    exelastealercollectioncredential_accessdiscoveryevasionpersistenceprivilege_escalationspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2behavioral3

    • Target

      prebuild.pyc

    • Size

      244KB

    • MD5

      ea2dbd6f1b1d4131871713028269225c

    • SHA1

      4587bebed06ce225034653ac369ed23c0cb9162d

    • SHA256

      6e98f771b39c2ae812542fd568163aeee0b2ea518b5df8116be63819fe155d81

    • SHA512

      303b498e1a89385d1136be22be6df668332a47614246f0550d0b8fcd4fd1578378f9769ec335a21a5c8c2ee3424954cf298a613f514e5b59fc6abb7736fb4ca5

    • SSDEEP

      6144:7qFiq9c+GyVqdLY4t9bY3zza5XbTuFxJ5N2VPA:7Ciq9cfdLYm9baoVPA

    Score
    3/10
    discovery
    behavioral4behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks