Overview

overview

10

Static

static

10

bf5d70ca2f...1b.exe

windows7-x64

10

bf5d70ca2f...1b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bf5d70ca2faf355d86f4b40b58032f21e99c3944b1c5e199b9bb728258a95c1b

  • Size

    99KB

  • Sample

    241028-xvcmgavfma

  • MD5

    369f704a2f7482c34be13941454e57c9

  • SHA1

    343cff02d08a56f75d76052d541a21ba39081d8a

  • SHA256

    bf5d70ca2faf355d86f4b40b58032f21e99c3944b1c5e199b9bb728258a95c1b

  • SHA512

    43fdb5bc0d8fadfa5b778639dd99ce767834c19b935f20607029ced8995f73fb408f01398a7014b33749355d2d6542df203bdf96660345df2ec38eeade5578d4

  • SSDEEP

    1536:6OrgQySDTYowOxhyR999vAFH/N1k7SZCHvqxuV/QHzw4iQMTqncAd8zul:QGMt999vUHF5ZCHvguV/QHzw2MTqFas

Score
10/10
exelastealerdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

exelastealer

C2

https://discord.com/api/webhooks/1152920158470414406/e6cZMhR2c46WKJhAHuxbkYiUUJtxA61zPHZaJSHYHMBE8RWYV1mQZ1ZfleRCDXbyLf_t

Targets

    • Target

      bf5d70ca2faf355d86f4b40b58032f21e99c3944b1c5e199b9bb728258a95c1b

    • Size

      99KB

    • MD5

      369f704a2f7482c34be13941454e57c9

    • SHA1

      343cff02d08a56f75d76052d541a21ba39081d8a

    • SHA256

      bf5d70ca2faf355d86f4b40b58032f21e99c3944b1c5e199b9bb728258a95c1b

    • SHA512

      43fdb5bc0d8fadfa5b778639dd99ce767834c19b935f20607029ced8995f73fb408f01398a7014b33749355d2d6542df203bdf96660345df2ec38eeade5578d4

    • SSDEEP

      1536:6OrgQySDTYowOxhyR999vAFH/N1k7SZCHvqxuV/QHzw4iQMTqncAd8zul:QGMt999vUHF5ZCHvguV/QHzw2MTqFas

    Score
    10/10
    exelastealerdiscoverypersistenceprivilege_escalationspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Exelastealer family

      exelastealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks