General

  • Target

    sglotz

  • Size

    4KB

  • Sample

    241201-rb9vzasrcx

  • MD5

    64072f808173e6b2cdbad75306c91e67

  • SHA1

    f43c55999f3bbd457ff97bd727ba7b9721006f9a

  • SHA256

    06f03c671ecb399a18f1deaf75e6cab4c6fde9d7f7b0202475c2767b1e1b7bd1

  • SHA512

    f927b1e5b5f005a4d049be8873fe458306e054a355a47df75b97a8ca412c94bba881d58ede37146e4a341249772535cb3bd9f0587c12c5393638a29494682956

  • SSDEEP

    96:6zYRupRsDpRYpRGZjRxQWQhFS+burexZCe5VadYCzK9bKwof:6UIp4pWpUZ1QhFUa5bahMbfof

Malware Config

Targets

    • Target

      sglotz

    • Size

      4KB

    • MD5

      64072f808173e6b2cdbad75306c91e67

    • SHA1

      f43c55999f3bbd457ff97bd727ba7b9721006f9a

    • SHA256

      06f03c671ecb399a18f1deaf75e6cab4c6fde9d7f7b0202475c2767b1e1b7bd1

    • SHA512

      f927b1e5b5f005a4d049be8873fe458306e054a355a47df75b97a8ca412c94bba881d58ede37146e4a341249772535cb3bd9f0587c12c5393638a29494682956

    • SSDEEP

      96:6zYRupRsDpRYpRGZjRxQWQhFS+burexZCe5VadYCzK9bKwof:6UIp4pWpUZ1QhFUa5bahMbfof

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Exelastealer family

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks