exelastealer | 9c27c452ff1ebbcfbb34f1062ae68285892c58c6bc5dcdf326718e8d17045c61

General

Target

Solara.rar
Size

10.7MB
Sample

240912-y8z6cstbnh
MD5

4dee84b7303026ef481573d139086ad2
SHA1

d85c0a9a064815dff18a33a4c5e8ecbf4eee49df
SHA256

9c27c452ff1ebbcfbb34f1062ae68285892c58c6bc5dcdf326718e8d17045c61
SHA512

769d9123bc2049285c8dde3ed03e248c5189af4a0265f601521c1ff15b6949867a53ce64ec4e1412edc905c611c826016df92c15c9e55366cf349e034ec91832
SSDEEP

196608:yhxL3V5FXuVB3Ye+7pIPLS5n+JOgumvW7YGQsLItBrbDjoz0VGaTvkRS7:mzVbXaeg+0JTzltVbDzw68RS7

Score

10^/10

Malware Config

Targets

- Target
  
  Solara.rar
- Size
  
  10.7MB
- MD5
  
  4dee84b7303026ef481573d139086ad2
- SHA1
  
  d85c0a9a064815dff18a33a4c5e8ecbf4eee49df
- SHA256
  
  9c27c452ff1ebbcfbb34f1062ae68285892c58c6bc5dcdf326718e8d17045c61
- SHA512
  
  769d9123bc2049285c8dde3ed03e248c5189af4a0265f601521c1ff15b6949867a53ce64ec4e1412edc905c611c826016df92c15c9e55366cf349e034ec91832
- SSDEEP
  
  196608:yhxL3V5FXuVB3Ye+7pIPLS5n+JOgumvW7YGQsLItBrbDjoz0VGaTvkRS7:mzVbXaeg+0JTzltVbDzw68RS7
Score

3^/10
behavioral1 behavioral2
- Target
  
  Solara/BootstrapperV1.18.exe
- Size
  
  11.2MB
- MD5
  
  7b7c9af10f65f91d0dfa704b47df1ab3
- SHA1
  
  56001ae93e167310c4c93e626599b2189717ab46
- SHA256
  
  06ec992467d151d23b2574124b6e7955087c3f32a684627acb8d505938bd1220
- SHA512
  
  1280660abf697fd92610224cd09b3b0db6539acea64bc715dc2605fb17a2be706c4595183744d4cb5b5781cb5aef7d5a2ad89a5bfdceb67f27b89921cd367582
- SSDEEP
  
  196608:gzzuYRi/rQvzqTYzbmP3zxfY1gD5MC7ZFWdaZSABYVNx6VyM70vEu:8uIizQrOemPDxg1qHs+EVNMyM708
Score

10^/10

discovery pyinstaller upx exelastealer collection credential_access defense_evasion evasion persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral3 behavioral4
- Target
  
  Solara/RIVALS SCRIPT.txt
- Size
  
  89B
- MD5
  
  13fbaf598afcb4c11235516a168b39b6
- SHA1
  
  e898cc6616217c11e46da49ef302191c7de371e6
- SHA256
  
  adec247fcf0e27cd1e5f533711fc43d6b172da44d483a400dd8e4a4addad1e28
- SHA512
  
  1eee8e2ce6ce6a1ac868a8112a4b611620c850b07aa3dddf397b621109ead352298511817deec3d5735080105577635cdd081bec90b10737fd590f523716ccad
Score

1^/10
behavioral5 behavioral6