General

  • Target

    IDtoToken.exe

  • Size

    38.5MB

  • Sample

    241201-tk1d1aznhq

  • MD5

    734762187272e3be9e58578017fbee18

  • SHA1

    0f10df2787f7a2f205483e91066846e643949032

  • SHA256

    5d9134eef078a5ac0f719179b0a1d99d3f99a1a34cb24dc36ab2af858629debf

  • SHA512

    5c604758e29842a2572d09d80382c7236d5b075d38732b8e86956a63afad477b315c02c9e33b9ead0e5ae60890b43aa26a4980fa6a322efa77e8d8b4c24a287a

  • SSDEEP

    786432:PD197wIEevr7qaStRH6IiGazBY3X579BrD1xkeHec7:PD19eCr7QPHAGazmZ/1Oep

Malware Config

Targets

    • Target

      IDtoToken.exe

    • Size

      38.5MB

    • MD5

      734762187272e3be9e58578017fbee18

    • SHA1

      0f10df2787f7a2f205483e91066846e643949032

    • SHA256

      5d9134eef078a5ac0f719179b0a1d99d3f99a1a34cb24dc36ab2af858629debf

    • SHA512

      5c604758e29842a2572d09d80382c7236d5b075d38732b8e86956a63afad477b315c02c9e33b9ead0e5ae60890b43aa26a4980fa6a322efa77e8d8b4c24a287a

    • SSDEEP

      786432:PD197wIEevr7qaStRH6IiGazBY3X579BrD1xkeHec7:PD19eCr7QPHAGazmZ/1Oep

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Exelastealer family

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks