exelastealer | 08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64

Sharing

General

Target

08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64
Size

47.1MB
Sample

240917-q7l84swdqe
MD5

66d48388a031b9cfbce19c6ac6fd3d71
SHA1

3f27e8d2ba7abf435c2056da7fc435081b461a08
SHA256

08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64
SHA512

556efccdc5eb8872dd18345c2f96efffb58c1f10ef5214056c0e49042f81c40e72f01fee7eab246aeec45a3fc4bd54663f0e45677acc4d679f1ae007abfff990
SSDEEP

786432:NiEwzN8Wa35zYTIRaZD5G/p5H72RiL5WmVvz2a3yHoRYxCDDEHTCn2jM77b/BQc5:NXwzeWaJzYTXdsp5H72q5WW2hIR9sCn5

Score

10^/10

Malware Config

Targets

- Target
  
  08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64
- Size
  
  47.1MB
- MD5
  
  66d48388a031b9cfbce19c6ac6fd3d71
- SHA1
  
  3f27e8d2ba7abf435c2056da7fc435081b461a08
- SHA256
  
  08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64
- SHA512
  
  556efccdc5eb8872dd18345c2f96efffb58c1f10ef5214056c0e49042f81c40e72f01fee7eab246aeec45a3fc4bd54663f0e45677acc4d679f1ae007abfff990
- SSDEEP
  
  786432:NiEwzN8Wa35zYTIRaZD5G/p5H72RiL5WmVvz2a3yHoRYxCDDEHTCn2jM77b/BQc5:NXwzeWaJzYTXdsp5H72q5WW2hIR9sCn5
Score

10^/10

discovery pyinstaller upx exelastealer collection credential_access defense_evasion evasion persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/SpiderBanner.dll
- Size
  
  9KB
- MD5
  
  17309e33b596ba3a5693b4d3e85cf8d7
- SHA1
  
  7d361836cf53df42021c7f2b148aec9458818c01
- SHA256
  
  996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
- SHA512
  
  1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298
- SSDEEP
  
  192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/StdUtils.dll
- Size
  
  100KB
- MD5
  
  c6a6e03f77c313b267498515488c5740
- SHA1
  
  3d49fc2784b9450962ed6b82b46e9c3c957d7c15
- SHA256
  
  b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
- SHA512
  
  9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
- SSDEEP
  
  3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/WinShell.dll
- Size
  
  3KB
- MD5
  
  1cc7c37b7e0c8cd8bf04b6cc283e1e56
- SHA1
  
  0b9519763be6625bd5abce175dcc59c96d100d4c
- SHA256
  
  9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
- SHA512
  
  7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  LICENSES.chromium.html
- Size
  
  4.6MB
- MD5
  
  87c025c61eabd6db771c0279d880c6a7
- SHA1
  
  1d3797edecdc7ddc87ecb5ba09d87e18933cc9eb
- SHA256
  
  508fc2e843a8385cb8ef874520ea097e5de752c3dbc040ed0525269cb05dbbc3
- SHA512
  
  56b1dc52ba3a3b277a1fcc84b9989cbd446636fa8f518c48d366642b48e252be9d86593027ecf5d1e00968cccafc4b9a8cd69178c0e8da52c538c85012e63f19
- SSDEEP
  
  24576:woBBlmnLiLk8hrwrDK7QfkUW2wyfQlQuL:LblmLAFtuO80lr
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  d3dcompiler_47.dll
- Size
  
  4.3MB
- MD5
  
  fea40e5b591127ae3b065389d058a445
- SHA1
  
  621fa52fb488271c25c10c646d67e7ce5f42d4f8
- SHA256
  
  4b074a3976399dc735484f5d43d04b519b7bdee8ac719d9ab8ed6bd4e6be0345
- SHA512
  
  d2412b701d89e2762c72dd99a48283d601dd4311e3731d690cc2ab6cced20994fa67bf3fea4920291fc407cd946e20bdc85836e6786766a1b98a86febaa0e3d9
- SSDEEP
  
  49152:cwBNwAqRvTvbehyCZ5xRmhErU6jFyU+dQZTHchy0eQago4I+oiP85+hA6+Se4QQU:SUZ5P7FwcAgLbz+3s0Bm
Score

1^/10
behavioral13
- Target
  
  ffmpeg.dll
- Size
  
  2.6MB
- MD5
  
  5f5abaee3925504ca6b1dcc358e639a9
- SHA1
  
  feca951b321e903254b6e0347d9f3e698471241d
- SHA256
  
  d12f0ce401dc6fcf5337f82b4cc7055d893f135ca5ed79978f1801fadaf0a39c
- SHA512
  
  5d3707f3c00a8b01ff29f3763817813170bf3b727960c5d5ea8a7e066d7eb80de2e947ae19b7d2de23d7594bb16ac0f2046ed6b1186cd239b239c0abaacbde92
- SSDEEP
  
  49152:seQ7nWBO4+L16gqkpkk4v3Hda7osRUAp3+UikWfqgjnP1Fy4Xoi:/LBOjMUq04b
Score

1^/10
behavioral14 behavioral15
- Target
  
  github.exe
- Size
  
  105.6MB
- MD5
  
  e40fb2613d217ed9dfc4b4ab08498069
- SHA1
  
  389adea470fe8a17fa82b0dd6e962dc396bd5114
- SHA256
  
  32d6ce37cb492c6182da38155ad1b25b31c1ac567b9059e56e1e0710b2bb28a8
- SHA512
  
  f3f046a0103c953cb3d4806d99a2d0f721e239ddb5bbbe74916dde1b7c9f864ddb588f84445f0b2ed23430872988bfae9f023525a6a5684f4572b0225be134fd
- SSDEEP
  
  1572864:GFmLsYZPL7eHm6cXmbtaN8/cStph8sQXR:9B51kRpRY
Score

10^/10

pyinstaller upx exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral16 behavioral17
- Target
  
  libEGL.dll
- Size
  
  371KB
- MD5
  
  6e35ea6f5e8044f4e4cfecc733750deb
- SHA1
  
  e3a87c3bc2428e1084b6c44df3d3447f1256c9e5
- SHA256
  
  cba3e7ae62e3c1a4785d984e8dbe4459d28e90fa5d248ced5cfb6c9a8595a48e
- SHA512
  
  0b69e5ea2bd807f4e3145096468a5a5141aec26548c9cc06f931f9a3f368fbe69483e726baa300b577583a30bc8167ee2de4385e4d16d57537dcfaa291c28015
- SSDEEP
  
  6144:CrL87KEGktYUyxWS8O9qHZQum+FJlgxFLBxpR:CrL87vfyx3ZyaxFL
Score

1^/10
behavioral18 behavioral19
- Target
  
  libGLESv2.dll
- Size
  
  7.5MB
- MD5
  
  acb87fb8d7c650f7f731fec86547818d
- SHA1
  
  1dac2a461585c4f13930707eca8bc20ba77e3630
- SHA256
  
  eb647d5bd0593487451804f4aae20a3f5dfcb004c42d3039d15b723c1be592c4
- SHA512
  
  e3cbf91d8334868f077535e5c0ceff512fad9b91785fed157383a15bcfa3375bad4df9e72b9b9ade1ae337e12fe18f2b03d26adabe4ef569ea0dc51772f9a044
- SSDEEP
  
  49152:zYpFY0GcBM7Nnuc7xVnz27zg+Bim/7ZIoa8t8SawwZN+eUBop6epY/23LdIdyJ4M:mrGvnz27xIo6qN9hQwf71L6aKJ4liD
Score

1^/10
behavioral20 behavioral21
- Target
  
  resources.pak
- Size
  
  4.6MB
- MD5
  
  d9022282a7fbf3aa354559ab6a9c7926
- SHA1
  
  ff1f2b77d80848bc1a51e48c21a033eb57d8776c
- SHA256
  
  ddc85d749b19cbabae11a0b8f7114daf75900179a2147280dd0f9f8faee7d65c
- SHA512
  
  6b9ab157cf8e10d8a79ea2ad4e247210fe2a7fd75dab086eb55951d4e028af3060e1f42175be936c6b093abc2c3071c0fd1c45afee3c567a79e1b722fe5f5d97
- SSDEEP
  
  98304:aAVqybB1h8fawgGMLdWiz1Z/de8xJtHDgAQcchH:aA4ybnhjwYdWm1iovjgAQcchH
Score

3^/10

execution
behavioral22 behavioral23
- Target
  
  resources/app.asar
- Size
  
  435KB
- MD5
  
  2b9517fbf06ddce2c072ee3c04afb1c4
- SHA1
  
  374259f96af7bc803197f9682f830c96f4d024e3
- SHA256
  
  9fe10940baf1a4dcca11673b5ad10189636c9569fed370f7de5b00c0888e2739
- SHA512
  
  a6d956f289087433be098ae1bd9e6c3b8d355fe44f5404c9fb8efc4edd348b28e8453d931c04f0c67e8db9550bad8753b5dd7020fca6545ddf90ed4c61c96196
- SSDEEP
  
  6144:TMX6vF4DbpCpWzHxttMSjWzL/a0KeaZcyT87aUMITavRGQAox8CRgXkRpW917aBT:TMX6gKSOLS7xT8+5f9x8CpmoByKM8
Score

3^/10

execution
behavioral24 behavioral25
- Target
  
  resources/elevate.exe
- Size
  
  105KB
- MD5
  
  792b92c8ad13c46f27c7ced0810694df
- SHA1
  
  d8d449b92de20a57df722df46435ba4553ecc802
- SHA256
  
  9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
- SHA512
  
  6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40
- SSDEEP
  
  3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l
Score

3^/10

discovery
behavioral26 behavioral27
- Target
  
  swiftshader/libEGL.dll
- Size
  
  391KB
- MD5
  
  a0b05fc37a40d28fa65835e55a1d0a3a
- SHA1
  
  fa8f9bf28cbbc425aedd6fc9349ffadc7c10203d
- SHA256
  
  f9e3e49e55f01869be58157fd1f8fc1eca4c8b6b34b14e5e124149e6da1efa9f
- SHA512
  
  e752075618cd1bb760be20cfce2102fa9e3f2a067ff4335559d08f90fd48409db290268cc20e6c5b4031d38eddca83bbf5b52b81ee504d83c41a9c2f2818a52c
- SSDEEP
  
  6144:tsqYoNTci8GIcredpDrm/ILgcGHNP6DHa8rrEy5OmluhJ7:tsqYoNTIcrIEltP6DWy5huhl
Score

1^/10
behavioral28 behavioral29
- Target
  
  swiftshader/libGLESv2.dll
- Size
  
  3.6MB
- MD5
  
  d4a2a20be825850edacf683342d03984
- SHA1
  
  798cb0b106a40d7c9b4132dd43adfe750f620c16
- SHA256
  
  56767f04b3b101d912c89cd2e7f4fd4209a6de5c462688a6df3fe9ed1892b9db
- SHA512
  
  427713bd131a5cb554d0e887a4da24b1dc5b9296260d79a5436ecd90fb34b90cef23d8d2edb8e5dc24768c033b14e7e7e427132f034d561d6ec8ed76c2b84a2f
- SSDEEP
  
  49152:ONLpLX1Ko1YNottXPnRqVIG7LVkyHYVRVTbu2/KRAJu57qMcrGRmL9YE6ndbGTP0:IioOCG7ZdHQu2fu57ql2pR
Score

1^/10
behavioral30 behavioral31
- Target
  
  vk_swiftshader.dll
- Size
  
  4.3MB
- MD5
  
  a01021571f60189cfcf6771571bf88f4
- SHA1
  
  bf650836892af16a82e5770e8c873acb6ea31308
- SHA256
  
  1673f46a96ac36914674cab12c1aaabcb3ef428d8d974480f1dc5661531beea6
- SHA512
  
  c13aef707bee712ec5069b4af3e8fb8f4cf86ef186aa40c51a467d5aafa4fd571beeae67c5d388b889a959a1a2bff65551eb29f6626f192cf13456026f2c41d2
- SSDEEP
  
  49152:TLdyrnUcaL6ge7cxxdPT6B9+29TNj4Vrt/+2AVRJNewGl8HIq98B/lCt1SKUwFyu:yF/h2AVOFmL1KdXpa1s
Score

1^/10
behavioral32