Overview

overview

10

Static

static

3

ga/EXTERIUM.dll

windows7-x64

3

ga/EXTERIUM.dll

windows10-2004-x64

3

ga/GH Inje...64.dll

windows7-x64

1

ga/GH Inje...64.dll

windows10-2004-x64

1

ga/GH Inje...64.exe

windows7-x64

7

ga/GH Inje...64.exe

windows10-2004-x64

10

ga/GH Inje...86.dll

windows7-x64

3

ga/GH Inje...86.dll

windows10-2004-x64

3

ga/GH Inje...64.exe

windows7-x64

1

ga/GH Inje...64.exe

windows10-2004-x64

1

ga/undtct.dll

windows7-x64

3

ga/undtct.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ga.rar

  • Size

    2.0MB

  • Sample

    241007-tybmsszfjk

  • MD5

    ad14852f4d9007a258d0e4c39e007b07

  • SHA1

    eeade2891e16fa0d1decd14f45891de9d5e66f82

  • SHA256

    5eff807aef63234dca6d7b09f0f5e06807b298f3749684d66f121aba0462f509

  • SHA512

    85fe93617a91ddeded977ef8f7cd83a9d97b9d079eb5b7fc748af425546a3c1f93cbe1317e0fac108671de1ad2ca3284a896a8599e1442a1eab3781d7eaa799c

  • SSDEEP

    49152:wqnU7eRwHfpwr8VjsItoifkuf+jtLkZ4MWm2w:wqnU75xwwVltoY/fUkZ4tY

Score
10/10
exelastealercollectiondefense_evasiondiscoveryevasionpersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      ga/EXTERIUM.dll

    • Size

      1.6MB

    • MD5

      687932f2f49a6665e8fecaa522c7dfc2

    • SHA1

      029a0b9e8e10e83caad07202625fd0b4e53bdc87

    • SHA256

      5b25c651d62c0e0fcc143a409a8783c876522b3fe861d81e4d8338e22f630f1b

    • SHA512

      1ebbf0aa8f46b1a2fed7fefc1478efbbb8e242cab1fa3a336d94cf2f6e0f318d4958fca4c10a22dc239d6a226e8dd3cd95a4976f188f3ce098b7fd2834b24b68

    • SSDEEP

      24576:3gywMoo8X3jDtPNjHpx3Wn36nBgCQqsGZf3k82BK1tyFDG4OIKkM2N5xo:Qyw1RHjDtPjZm6BLQqHf3k8yLOI6

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      ga/GH Injector - x64.dll

    • Size

      80KB

    • MD5

      577098d13cce86f097dbd5ed3d7f841a

    • SHA1

      853df164b60d351d236b3494dfe34a6d1ea62eaa

    • SHA256

      3de027f62dc95df4696ed8b526046ee69eb7c1ab53712368d2a9a4ca4bb595c9

    • SHA512

      4a24bb69ff360cea62e1818ef2a818d3d7d2faa6c7e7f5f9829dee2654b7a787689839d5ba4baedc5dfaaff5a7fff39e8ab99b43433bb95fa0af0e84c48cda8e

    • SSDEEP

      1536:6y/F6lrEqQ+Q+r2S6F3zQh7rPgCSL0/M+7:ErY+laSs3zQ5PgCS4U+7

    Score
    1/10
    behavioral3behavioral4

    • Target

      ga/GH Injector - x64.exe

    • Size

      962KB

    • MD5

      7b7520a789158423fc9220782c162f6e

    • SHA1

      2a97699729e9ee25acd1b9bc0e94c95cda9d81eb

    • SHA256

      3d4a6a90910f6a00c5e5ca861d348cfb1235e88335f8c3494f63d7a94ca92e5b

    • SHA512

      bbb8a46c4efc05fb278614466dc5acd7a1e695ec485b7de0dc56a31bd8ad8090af0ba67e53b94095f432f3c640d393d1424d7fd48bbe00f5b44f3ad541174bc3

    • SSDEEP

      24576:TB5/LBCgO5AMWe5bUESA8IzqOj865JAZ1NX1YHLi+dr:dNLBCgX3pESAHzqO8aAZ1d1qGm

    Score
    10/10
    defense_evasiondiscoveryupxexelastealercollectionevasionpersistenceprivilege_escalationpyinstallerspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

    • Target

      ga/GH Injector - x86.dll

    • Size

      54KB

    • MD5

      a90f82ec592f7d7bafe379947bc976ef

    • SHA1

      fde0997a72c95d4c37fbaf0d47b2d35782c9695f

    • SHA256

      57fe4aac342425fe7f1c24600b3c9781ce9f73e98905df5858480cb8ca8ea631

    • SHA512

      d7f0738ef1e495546c5eee00270cb95cd453a832d00066625aa9a87a9ea0319399118d81796b8aff02002df63b773ca9392ea24b5792d55f158e9560eb832dd2

    • SSDEEP

      768:ow+gyUC/9zDP1XO5mvQRI6qqsciMCUX8VzK3+nO+t4YZQ8AN7zPkFg8s/4PU:CL/5KDHrC08VzK3+nO+t4YypCgbz

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      ga/GH Injector SWHEX - x64.exe

    • Size

      27KB

    • MD5

      e80faaf635cc8a67ce128a77db91cf5a

    • SHA1

      581f8f3651fba45287e211e55a4dc019428e98d9

    • SHA256

      550e76bcffc9835e18d0558a1295c5517ff636b20ee4620fb8ba29d45b3be3dc

    • SHA512

      e5fc5e9f8664ec5ce3acd789da568c0800a1a2b1861beb05c5d5ce2f329e9141d1dba71e32907500f54c3cbc18ad9ef7bde0ccce716ff9dd27c00318cf4ed506

    • SSDEEP

      384:LxEJhfsQhDNzF0lJF+zhec97YBKn1/6C3zy6Yor5a3/6+l+S5K:NQhDtClal/n1/hzy6xrI3Jlj

    Score
    1/10
    behavioral10behavioral9

    • Target

      ga/undtct.dll

    • Size

      1015KB

    • MD5

      3e9e02ce2b577d62b35c34aa6ec027e2

    • SHA1

      9c464e6edc2e6a4bc17d28a68d5217a134b8f368

    • SHA256

      2c81fcf3f79f98c78963da78d234dcf6dd36c9503438121d384b39edb0ca272b

    • SHA512

      7eb9a3580ce664e78ccf89130581de6e5e816337f4953b192038baafd7ad163a096250aa2f93f4dab68dfec0e25987845777f70d37afd37bab73e793e680f68c

    • SSDEEP

      12288:Cab/0Xn458xRrPzrUBHK5fhgxFmXEP2f7K46TnSEl1yt6zzng0LNU5w37A6Dv:ClXn458xRrPztgxoGRNU5w37J

    Score
    3/10
    discovery
    behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks