General
-
Target
RippleSpoofer.exe
-
Size
15.6MB
-
Sample
241110-ezenhszblq
-
MD5
76ed914a265f60ff93751afe02cf35a4
-
SHA1
4f8ea583e5999faaec38be4c66ff4849fcf715c6
-
SHA256
51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
-
SHA512
83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac
-
SSDEEP
393216:QAiUmWQEnjaa4cqmAa4ICSSF1a0HPRV8gtFlSiZh5ZlZ:bhnGhMAXSmHXFA+
Behavioral task
behavioral1
Sample
RippleSpoofer.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
RippleSpoofer.exe
-
Size
15.6MB
-
MD5
76ed914a265f60ff93751afe02cf35a4
-
SHA1
4f8ea583e5999faaec38be4c66ff4849fcf715c6
-
SHA256
51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
-
SHA512
83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac
-
SSDEEP
393216:QAiUmWQEnjaa4cqmAa4ICSSF1a0HPRV8gtFlSiZh5ZlZ:bhnGhMAXSmHXFA+
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Exelastealer family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1