General

  • Target

    Password is 1234.zip

  • Size

    11.0MB

  • Sample

    241204-zbvp2swjcm

  • MD5

    81f855da81e3e1e820cd146c74289dd1

  • SHA1

    ab978ecafd557b2c2cc60bff096d897509bcc77a

  • SHA256

    8e0a00a3a39c2fbc723eeee8b9c1bd4da471d491de6c10f88af327ecf166e910

  • SHA512

    2cd0ae11bf310a9c70b81b39e0500ed46e7f168d19b8a37af1d311bdd3c2aab5c2f437529bee4c690fdff4c1ec5dd5da11177ffca3224aeef80a6c3aadf52d13

  • SSDEEP

    196608:eGVQLFO3N49tH9a85CGciDuEQSw9kRb3K6lgwdyMKES1MYBoIqnff:eGVQL43N4N8Grw9uouyGS1qnff

Malware Config

Targets

    • Target

      Password is 1234/AuthBroker.dll

    • Size

      232KB

    • MD5

      079cc7ae36b25673bdf6c1a0b5a5f6cf

    • SHA1

      426654efb690480586cf24ed48010ffdd77801c5

    • SHA256

      a592978d102b67959fd9148f5bae27b09d99b2d36a4d103289d18f5c2130d9cd

    • SHA512

      a4361d6fcce73f3f23b74dac23ec5214dd1b9fbcb77334865b9f1b08295fceea3eb3506b7c0be838c844a29f7bf4a52bd0b4f15c664f2c4fbf67e279f370e0f7

    • SSDEEP

      6144:b/MU8kflMzSVR8Knlt+5MTv4tCPUvTqKqnM/k:78kflMzSVR8Klt+5MTv8c4T/qGk

    Score
    1/10
    • Target

      Password is 1234/AuthBrokerUI.dll

    • Size

      144KB

    • MD5

      9c3e3021cba53ad908efdecbccc97500

    • SHA1

      3f4fa54297fd85b5b03646f0eca55821e7659010

    • SHA256

      5a9fb69412f3c411f14b67fd215bdf8e2623799e635b454b2b768993224399d4

    • SHA512

      9a6f5fcf4f0aedb57949936b8f7fb64fd7f464db22ba19075a8168b3500d37de483064ef310cbc22e81907cf72024e96a9132e23a569b97bf3dab2fccf20bebd

    • SSDEEP

      3072:fSfASjUhL0pBUMtOaR5ggNF/VRclc9WOdTcrg6vrwH8PU0HZO7+WS5SaH:fBSjUhL0DUMtOaR5ggJVqlKHZcrVTwG8

    Score
    1/10
    • Target

      Password is 1234/AuthExt.dll

    • Size

      76KB

    • MD5

      f4917a18dc1124d7c286de63b2fb71ba

    • SHA1

      a45a91f21e02de2432c576e5af704da291ca8f6b

    • SHA256

      9454efa34febf65d5cb07aea69b7632b143510ebbfc77086244f99a072451410

    • SHA512

      067510d46399e2a437c9c114a7334ce6f154e50b9a66be8fb597ae27de795433036d63bf7c117ed4c9162a8bd78875d970cff2da496280ea936daf78b421dd29

    • SSDEEP

      1536:GYAdZDTW6HpClmwZORZJzp4XFbYPMtpbtEFRpVc:GYAdZtpscx4XF067yRpW

    Score
    1/10
    • Target

      Password is 1234/Ruin64.exe

    • Size

      10.9MB

    • MD5

      e577cb081e2cd5fb03fe71d56ff14c63

    • SHA1

      c4aab6e0c57601333b5df3ddd683a65132168802

    • SHA256

      e8bcc69e48479f766179aeeea50eeb3034971527d03920d60795a8c532dd867d

    • SHA512

      f2b049e77818bfe8b011e729068c7b005dfcd1b5a25790c99e09360db2180ac649dd89f8a2976fe11cfa5c21c7d10d3e0c84c9ab97502ab487e918968f86c4a6

    • SSDEEP

      196608:WxBo264KAF/cemXyuSyTde8zveNK+wfm/pf+xfdkRbgxKEr2WOHWKD39eH:kFjtByxjgK+9/pWFGRbg0Er2W673MH

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Exelastealer family

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Password is 1234/auditpolmsg.dll

    • Size

      104KB

    • MD5

      3b2639e73ce1708a48589f68e57b8a1a

    • SHA1

      946ccbfbfeb3379f257981fb8bccd741a21097b6

    • SHA256

      6246ca4ce424a90025cb1be7166b331849c8630f2400094f79a75893c328ef4f

    • SHA512

      9bb659328a6815ac0ba28ab757097129b1288ade369be655b5c61cb531f1ff78736e5748b6282a7288eac17c08888b0bc5672b87295e93c7b8f9d47fb030fa3f

    • SSDEEP

      1536:hZ59sSnIh8Pxvp1Jz1mEmzJ0RtW9yBozETuEGeJvO41ZZnr26:hZ59d7PxB3m10RgFz/4vB1Tn1

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks