exelastealer | 35155e8468c1287a21e03699a55325378001fa060ee79a1db8f5b02e82adc33d

Sharing

General

Target

libavresample-4.zip
Size

4.4MB
Sample

240912-tey9rasfnl
MD5

095b59d6465bf6491daccd0d4cf9baf0
SHA1

b5d488cf23c1a6e6e7cfaa777657f8ad9a87ec32
SHA256

35155e8468c1287a21e03699a55325378001fa060ee79a1db8f5b02e82adc33d
SHA512

8aa151f915a6d2190246d0000ab5d2a27646fd925522cb334fb7273e93135c1becf4fd19980afccaf5730d5d178889a1b52acb012814ac6fc16dcb4dd781ef29
SSDEEP

98304:c8luglqUM5DjX1SUeQAbWSFhMDC//X3yV8:/l4ZjFSpQAb1hK6c8

Score

10^/10

Malware Config

Targets

- Target
  
  libavresample-4.zip
- Size
  
  4.4MB
- MD5
  
  095b59d6465bf6491daccd0d4cf9baf0
- SHA1
  
  b5d488cf23c1a6e6e7cfaa777657f8ad9a87ec32
- SHA256
  
  35155e8468c1287a21e03699a55325378001fa060ee79a1db8f5b02e82adc33d
- SHA512
  
  8aa151f915a6d2190246d0000ab5d2a27646fd925522cb334fb7273e93135c1becf4fd19980afccaf5730d5d178889a1b52acb012814ac6fc16dcb4dd781ef29
- SSDEEP
  
  98304:c8luglqUM5DjX1SUeQAbWSFhMDC//X3yV8:/l4ZjFSpQAb1hK6c8
Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation stealer upx
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2
- Target
  
  NexusChecker.exe
- Size
  
  605.6MB
- MD5
  
  2ba4db56200d2b07505c1eff5faed706
- SHA1
  
  5cf6b2fcd1fd2f93a324151f86b124ea2bb94dd6
- SHA256
  
  543fee52f65842ef6397ceca2b2516785103e93aecc58d340360ee76260684fa
- SHA512
  
  59873ce651896d3a3fc11656b3e3a1e56b94be13bf7244521c29194d75517514325765a00e1da9189b15dd291b09b5fb43509d61599c4ea0fe77a053c5f988b1
- SSDEEP
  
  49152:lNjqYcOatzfsFfG/oDx4tDhdLDG15f9pTo0trQyYxQw:lNjFcOaxYG/M43HA5fVt8Q
Score

9^/10

discovery evasion execution themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  freebl3.dll
- Size
  
  845KB
- MD5
  
  662847f88f937be3b0e262891f3d7cb0
- SHA1
  
  5bb6b578064308fc39eb5a69c02ea893d4fdc037
- SHA256
  
  2eaded431adbfc17df0bb75d2706d527d14038f1f63aa85b41e2434ca3da9448
- SHA512
  
  4efefa4df931fa4c1d982947966cb3e80a5a4a932877ba41234ccb7ed1a69fe7ae183bd172dcd1a969d5f7572e12f380f4c3aab6078b7971764afb72e23af145
- SSDEEP
  
  12288:21wJLtapx8ThpZiwkeumCcN9XraJbJRPgUiZLoqnhhey:2KLtaATht7umCcN9XmJbJFriS+hhp
Score

1^/10
behavioral5 behavioral6
- Target
  
  gkcodecs.dll
- Size
  
  462KB
- MD5
  
  5b11259c1f70f005cc3138d076bc463f
- SHA1
  
  b3d8355d0e805ef251e5639a411f815c25b1cbcf
- SHA256
  
  50d8319352761bce751bb54c0a3d295691612b5b5a8fcfe687f1f6e690d0604d
- SHA512
  
  8b0b78d5bfc034dfa1d3d237842f3ddc1638bb72292c3eb72748ab398ea5670a3703ecae7324262705b304cba7c28cb5d264316d747f480b68cf25bdfecb1aa5
- SSDEEP
  
  12288:Ow2BLenEPdBA0BHCwyhleRMDgSx/FLZvb3kN:OLBMCDA0BCwyhleRMjx/FZc
Score

1^/10
behavioral7 behavioral8
- Target
  
  libavresample-4.dll
- Size
  
  578KB
- MD5
  
  43a5181dbc20f32106f44d9d493069c1
- SHA1
  
  7f8d85c35f9d2af64c31050bda616743a9f6fe5b
- SHA256
  
  69080064d63fa9724960c58767fde0a8202c101704241f0787f13359cc8eaa88
- SHA512
  
  e85efc93b1746ff141e5f158db6fe7f314e2fe488581d0442733af36d2fcfbbd458522d327a38abc0ae20e55b2fbc7dd8ba54aaf7dbe9dc8c7439a9fea436ad2
- SSDEEP
  
  12288:ox+wa4fcKToINMyVZBJm5QsW8N/raVikaNs1+gzPzjR/+ozEjLZvoSy7:dKzjRmvoN7
Score

6^/10

discovery persistence privilege_escalation
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral10 behavioral9
- Target
  
  libavutil-56.dll
- Size
  
  1.2MB
- MD5
  
  7cdeb2075bde3b7cd500e50e87d291f1
- SHA1
  
  7860db250f2cefb8e14cf8631a342d7cd489bba4
- SHA256
  
  ca3b5aa8a79edeed61d7526e44b68c6968f15e074a0f767cf6cbfc148dfbf8c4
- SHA512
  
  cc85f35454e8533e604da9296dfb74c27a6ed24b45b621fcaa308951a43dd83ff7a0f351f8930c9874920475ea13486010b01ee8712aee19cc9603e5da8b0eca
- SSDEEP
  
  24576:JeNaqLQN99oBo9BmGTwWW1Ih2QQ4vROb46yk/5WA/:JeNJC9ko9BmGTBw4NGsO
Score

3^/10

discovery
behavioral11 behavioral12