exelastealer | f5ca492cdfb9388f34078c6270f6c39d0bac7ab2bc8e9e9eb7a71b795f0d90a6 | Triage

Resubmissions

27-11-2024 23:00

241127-2zgt7szrhp 10

27-11-2024 22:36

241127-2jpvwatmht 10

Sharing

General

Target

networkintegrityservice.exe
Size

14.6MB
Sample

241127-2jpvwatmht
MD5

ec0a05923731eda38cb2f533ee74c945
SHA1

47cc0a8c4109776ca9fee5ab281f0203b5c6c76c
SHA256

f5ca492cdfb9388f34078c6270f6c39d0bac7ab2bc8e9e9eb7a71b795f0d90a6
SHA512

57727971daa99ada99cae55724b3b632b6c579bde1ae1eba0f9049c47f2475b7d484ae68ea481f01e8192609b3b8d0e699a11f8e3e6fdb7349767926552723c0
SSDEEP

393216:X22h63hucWdQusl/l9foWOv+9rzqdrxwGhSOIQZaor4:mJ3hrWdQuIhorvSrWTw+SCaor4

Score

10^/10

exelastealer collection discovery evasion persistence privilege_escalation pyinstaller spyware stealer

Malware Config

Targets

- Target
  
  networkintegrityservice.exe
- Size
  
  14.6MB
- MD5
  
  ec0a05923731eda38cb2f533ee74c945
- SHA1
  
  47cc0a8c4109776ca9fee5ab281f0203b5c6c76c
- SHA256
  
  f5ca492cdfb9388f34078c6270f6c39d0bac7ab2bc8e9e9eb7a71b795f0d90a6
- SHA512
  
  57727971daa99ada99cae55724b3b632b6c579bde1ae1eba0f9049c47f2475b7d484ae68ea481f01e8192609b3b8d0e699a11f8e3e6fdb7349767926552723c0
- SSDEEP
  
  393216:X22h63hucWdQusl/l9foWOv+9rzqdrxwGhSOIQZaor4:mJ3hrWdQuIhorvSrWTw+SCaor4
Score

10^/10

exelastealer collection discovery evasion persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Exelastealer family
  exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Account Manipulation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Account Manipulation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Network Service Discovery

Permission Groups Discovery

Local Groups

Process Discovery

System Information Discovery

System Network Configuration Discovery

Wi-Fi Discovery

System Network Connections Discovery

Lateral Movement

Collection

Clipboard Data

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

exelastealercollectiondiscoveryevasionpersistenceprivilege_escalationspywarestealer

behavioral2

behavioral3

exelastealercollectiondiscoveryevasionpersistenceprivilege_escalationspywarestealer

behavioral4

exelastealercollectiondiscoveryevasionpersistenceprivilege_escalationspywarestealer

behavioral5

exelastealercollectiondiscoveryevasionpersistenceprivilege_escalationspywarestealer