General

  • Target

    test.exe

  • Size

    39.0MB

  • Sample

    241203-r2qvsayrfy

  • MD5

    674c34ea3491bec6673193c5f3e78214

  • SHA1

    b5473312a449d5e1f0dec6a9d5c46a7d06708240

  • SHA256

    d3ba0aafc26fb7a3d58e4e720ab05698df33efa6486fe5c51e507f4099306fc6

  • SHA512

    2d2ecb4ae7389c85d02d0a39ed64f17e75be6cbb0d55736b908f2f8d56a369d6abfdc6b7e5bf27d9752cb79c8fadefc594d2c7afea1a4a14163af3df7724bc48

  • SSDEEP

    786432:FDlzv9s86IICalOSTcIoNT9m6Qe0RbpCiKGBAMmL32h7riJMXsMNV:a8BIXkOfo26SRbdBAFLc7riJ

Malware Config

Targets

    • Target

      test.exe

    • Size

      39.0MB

    • MD5

      674c34ea3491bec6673193c5f3e78214

    • SHA1

      b5473312a449d5e1f0dec6a9d5c46a7d06708240

    • SHA256

      d3ba0aafc26fb7a3d58e4e720ab05698df33efa6486fe5c51e507f4099306fc6

    • SHA512

      2d2ecb4ae7389c85d02d0a39ed64f17e75be6cbb0d55736b908f2f8d56a369d6abfdc6b7e5bf27d9752cb79c8fadefc594d2c7afea1a4a14163af3df7724bc48

    • SSDEEP

      786432:FDlzv9s86IICalOSTcIoNT9m6Qe0RbpCiKGBAMmL32h7riJMXsMNV:a8BIXkOfo26SRbdBAFLc7riJ

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Exelastealer family

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks