exelastealer | c816fbc335115fff78fc616ecc8c10de7bc92a69a54fbe956edd44d2b8ce5f95

Sharing

General

Target

wetransfer_wave-app_2024-10-17_1659.zip
Size

244.2MB
Sample

241017-wm1hws1bqr
MD5

cd721cb9cd6899052e0712e9c5ecccb9
SHA1

a065523dc7fc5c1c1c4adb0a8610f74545c7ea59
SHA256

c816fbc335115fff78fc616ecc8c10de7bc92a69a54fbe956edd44d2b8ce5f95
SHA512

61cc1ab088ff855b4c6cb18c3e8b443b9556b405428be53414e2a638020474c0d9d95a1aad5ffacbde9236bca7d97d8e52622e7e48bd5bbaa9be7cc2595a4047
SSDEEP

1572864:ygbVU4t/Ct6JMgabao+nh+bw4FlWMZBZHuoM2t52kOUeEbaVO7GJbdHDexdypGTH:ygVYUJkH0sEQFOc8W6h9u6zFhU/jj

Score

10^/10

Malware Config

Targets

- Target
  
  wetransfer_wave-app_2024-10-17_1659.zip
- Size
  
  244.2MB
- MD5
  
  cd721cb9cd6899052e0712e9c5ecccb9
- SHA1
  
  a065523dc7fc5c1c1c4adb0a8610f74545c7ea59
- SHA256
  
  c816fbc335115fff78fc616ecc8c10de7bc92a69a54fbe956edd44d2b8ce5f95
- SHA512
  
  61cc1ab088ff855b4c6cb18c3e8b443b9556b405428be53414e2a638020474c0d9d95a1aad5ffacbde9236bca7d97d8e52622e7e48bd5bbaa9be7cc2595a4047
- SSDEEP
  
  1572864:ygbVU4t/Ct6JMgabao+nh+bw4FlWMZBZHuoM2t52kOUeEbaVO7GJbdHDexdypGTH:ygVYUJkH0sEQFOc8W6h9u6zFhU/jj
Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  Wave App/! IMPORANT !.txt
- Size
  
  16B
- MD5
  
  d5673f048a62af6aa5a23ef813799d86
- SHA1
  
  48738545fcf566fdcde8f9cef31fe7f279e8aa98
- SHA256
  
  110e186b5689bc05d42c0a7ceeaceecb6f2f1a9439f5a3cea1c6ecbc5053b43f
- SHA512
  
  ab86a6a7119c480b05c4e3be7717c1e8845068fbfad8c0b5ba32f06d99c05f322dc1faba50b0fd36862417fb655ae74fa064d8a41841226f6b72cc638fc732ea
Score

1^/10
behavioral2
- Target
  
  Wave App/Core/LICENSES.chromium.html
- Size
  
  7.9MB
- MD5
  
  0e3e4362f785aff0b9e1852b1064c0f1
- SHA1
  
  a42ccb51e72bdcb5bb905a62efaa28857def3a17
- SHA256
  
  bd3ee49a5ab19d15ddc44b421b0bdefce587790786989ae77cf3ddf1e6a2ba8d
- SHA512
  
  193b57efc5f5971fbd9e4ea1a80b34aadcc2a814ff49c4c06afe972bf327e98ff0498217a8bdef984b10fdec6e7858a6fb88c0b14936e0c6b404387a426b87f2
- SSDEEP
  
  24576:dbTj6ck6f5kVWS6RqLsWN3Omfpe666A6f6X6TTHW9GqpaE:tEx/i
Score

3^/10

discovery
behavioral3
- Target
  
  Wave App/Core/Wave.exe
- Size
  
  11.4MB
- MD5
  
  6d176ff83634518aa21bae5a1cc6ec4d
- SHA1
  
  52288ca348893d272cdcc433c2e5e176f193d18c
- SHA256
  
  a73fe3f568647ecaca417368454d76b0af13d6d8130e33499e98bfaca4fa07f2
- SHA512
  
  6d497a5077fe240fed0dd85a6a8a6bb5c23162c3b09dd44f5d36c4a223dc03b690bfd3846c2a35ea5886bd67b825ee97f27af6c653f355b1cca0713b2b803188
- SSDEEP
  
  196608:tjhGreGJb3tQk5tSOshoKMuIkhVAastRL5DicJUGc1K7kC8Gx:RhGL7v5tSOshouIkPAftRL5dYY8Gx
Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral4
- Target
  
  Stub.pyc
- Size
  
  874KB
- MD5
  
  2fc96705e50aaac2ddbe024a82748c54
- SHA1
  
  ace5d90b69bda7d4e80eb13990aa30a9488055d5
- SHA256
  
  27bbe05b0266994a4e358b3e463531fd9cd2e446faf4f642b274a162d184c0f3
- SHA512
  
  ca47d2bba9e8cd5d4c2e35268541a897e8773f5236074b28a5dbe40ac298c473c7f6c5fd6c711a5bb628e524932e9ff65754931eebbb070f7c1d988728a3d9c8
- SSDEEP
  
  12288:caPTQZdYl/2NJdUeDRlhqzOWxhPpx9QPWqf5bbW/yOlyay/ePCHUMITNWw9cqXVD:NY51JojqJbW/yOpOUMITNWucqcW
Score

3^/10
behavioral5
- Target
  
  Wave App/Core/d3dcompiler_47.dll
- Size
  
  4.7MB
- MD5
  
  2191e768cc2e19009dad20dc999135a3
- SHA1
  
  f49a46ba0e954e657aaed1c9019a53d194272b6a
- SHA256
  
  7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
- SHA512
  
  5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
- SSDEEP
  
  49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
Score

1^/10
behavioral6
- Target
  
  Wave App/Core/debugger/WaveApp.exe
- Size
  
  155.8MB
- MD5
  
  0005eaa283d6bd1765d5dae4fe12fce5
- SHA1
  
  e92a0ef17d4a53bfe144628f1a24dbdf13790375
- SHA256
  
  2550722855607c747efa510d6ca59614088dd33f19ba972fe5f5b1827bbe36e0
- SHA512
  
  828e3261b1eb07f51c779d786693e5949111be35aece1580df5149d673b3ab592b49bde90688f004db96b3b6be2fa5a82391bde25f1c70b8e5019b3bedde8df9
- SSDEEP
  
  1572864:wVU4t/Ct6JMgabao+nh+bw4FlWMZBZHuoM2t52kOUeEbaVO7GJbdHDexdypGT+LY:mYUJkH0sEQ
Score

1^/10
behavioral7
- Target
  
  Wave App/Core/ffmpeg.dll
- Size
  
  2.7MB
- MD5
  
  d5e1f1e9d0ccfe7f21b5c3750b202b4d
- SHA1
  
  74144ac93c0c58a9b9288bce5d06814c9a1b1dc2
- SHA256
  
  e1ab367644f72ebcdc8eb3fcfe829ff51719559ac2a43a1600e712b16871ad65
- SHA512
  
  dcf70d43f1a83c424be99c38e33e520c72115c3d30945980e5e394d460462251bde309e543213b2b08dcbe9769d11d46792e1cc99aa42777fcc34d6f3361a3d2
- SSDEEP
  
  49152:EZ2KxYmwFfgQQs0ShPrF0/zO6R0gRhPj3hTUctrRhuwSnKxqgI5IN8N3lzl3hqzb:Aofp1Pyi54wnKxqg4INhhd
Score

1^/10
behavioral8
- Target
  
  Wave App/Core/libEGL.dll
- Size
  
  469KB
- MD5
  
  dd78b86b3c92d61c37b44ef5b157cfe0
- SHA1
  
  4dcf9ebc3ff5ca552c0e83469b921153b29aea1f
- SHA256
  
  e142752e073c0051a0beb963981af70263ed673959515545521a7941d3230838
- SHA512
  
  9d071568dc56db2ab93d034d07a11a477aab8ac50d9ea3c4db3ac4866fcd3c2f3002ba7a3f2c55589a9d68463181fc7a03327dc164310d7e80e30cc6f6bf2423
- SSDEEP
  
  6144:s4itlpEJVqKqK5Z5UibKsBHI0Sfnx+lXGpeOQHA93GT3sm:s4itlpAqKqK5Z5U+jBolfnjIyG
Score

1^/10
behavioral9
- Target
  
  Wave App/Core/libGLESv2.dll
- Size
  
  7.1MB
- MD5
  
  af3792b63af63408a40604184ea6ef7f
- SHA1
  
  b4d577e1c7ca0d4d3a34e2edb919cf58e6b62952
- SHA256
  
  b0ff1bad8e2f34b12dfcc4b5387bdc042f9bc2f963e11dea1758397ca0e907ea
- SHA512
  
  d413c52f7c82dd17f06002f3ca6bc3efcf4e11e88379d989d982b2f9f47b71643971c4988abee2dc1212027b2cea148a8849bcb442dd4dbcd8e26ea892dd7a58
- SSDEEP
  
  49152:x2b3imtb1uWsvZRUCXQNMBbGUa/XFfOpvQnDwX+xjA7LAIgRg37QiI+id3pFJs7w:x7RWft4NV+sduHox6gWE5lHaFX
Score

1^/10
behavioral10
- Target
  
  Wave App/Core/resources/app.asar
- Size
  
  2.5MB
- MD5
  
  3c6da0a1a1ec1fca4eed8e267ba3095b
- SHA1
  
  e9beefd85bffa8417d82c1de13ec928420969770
- SHA256
  
  085f2b75242bcce9d1d5b59196515f4914e984cb3e107b4691fbeacc09fd9792
- SHA512
  
  433bc74dee5302ac40a943ea5ecc0af31c1a66f9922f67955d8d84eefa9540355d206e9495daed4902c83d53170a112eebe3b9ac281e1a31496a3b49e71c71dc
- SSDEEP
  
  49152:T++KJr5G0uwJPqzabz12PZ8mzZ3bZLqzBoy8nzDCZrqz86yf:TwJyc
Score

3^/10

execution
behavioral11
- Target
  
  Wave App/Core/resources/elevate.exe
- Size
  
  105KB
- MD5
  
  792b92c8ad13c46f27c7ced0810694df
- SHA1
  
  d8d449b92de20a57df722df46435ba4553ecc802
- SHA256
  
  9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
- SHA512
  
  6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40
- SSDEEP
  
  3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l
Score

3^/10

discovery
behavioral12
- Target
  
  Wave App/Core/vk_swiftshader.dll
- Size
  
  5.0MB
- MD5
  
  b06a97b925991eac3832437d7db078cd
- SHA1
  
  ca32356ba0938ada1233e13795860690712fbc14
- SHA256
  
  2df870c1719ab057ea37aa15e3e379360c1dd8eaea2eaa56cb7b026f5ee4f19f
- SHA512
  
  e1e61c28a28dfcf15d69e9ccc8e289dfe606b926e21756bbc0f21e15df18d27b1926277ffc2bd6549cdfb17f11d71c2a9353392e58c33557209b781ec32cef9e
- SSDEEP
  
  49152:Ab03fn3GIdr1DO1N8jvfWSrvOuyEE0+w7rz77gpxbhk0H4t38mvttDpSHUoeygs4:d3v3xDvRTGVgt38mvt1pSH0adU
Score

1^/10
behavioral13
- Target
  
  Wave App/Core/vulkan-1.dll
- Size
  
  910KB
- MD5
  
  d562628f9df56ae61770ffdef79c8d05
- SHA1
  
  2423105a960fe0ceb038ca36d6a37638ebd32b6f
- SHA256
  
  5789ca1822f3a5a67cd2c24e6ff0307e688b76a2e99831050bdcf8b8d155956d
- SHA512
  
  739f9f41d8e3e48dbd20bfecfc5679f38e59b3fc8cb406a77c384fd5146f19efafa1e4f23f15071dbeaa1d0dc71e125966e19fb757fc39e6abe953159669c096
- SSDEEP
  
  24576:FoHDVVdrfQ09CPKuy0O0Q6Z5W0DYsHA6g3P0zAk7s+:FuVdrI0GKuy066Z5W0DYsHA6g3P0zAkz
Score

1^/10
behavioral14