General
-
Target
Password is 1234.zip
-
Size
11.0MB
-
Sample
241204-zbvp2swjcm
-
MD5
81f855da81e3e1e820cd146c74289dd1
-
SHA1
ab978ecafd557b2c2cc60bff096d897509bcc77a
-
SHA256
8e0a00a3a39c2fbc723eeee8b9c1bd4da471d491de6c10f88af327ecf166e910
-
SHA512
2cd0ae11bf310a9c70b81b39e0500ed46e7f168d19b8a37af1d311bdd3c2aab5c2f437529bee4c690fdff4c1ec5dd5da11177ffca3224aeef80a6c3aadf52d13
-
SSDEEP
196608:eGVQLFO3N49tH9a85CGciDuEQSw9kRb3K6lgwdyMKES1MYBoIqnff:eGVQL43N4N8Grw9uouyGS1qnff
Behavioral task
behavioral1
Sample
Password is 1234/AuthBroker.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Password is 1234/AuthBrokerUI.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Password is 1234/AuthExt.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Password is 1234/Ruin64.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Password is 1234/auditpolmsg.dll
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
Password is 1234/AuthBroker.dll
-
Size
232KB
-
MD5
079cc7ae36b25673bdf6c1a0b5a5f6cf
-
SHA1
426654efb690480586cf24ed48010ffdd77801c5
-
SHA256
a592978d102b67959fd9148f5bae27b09d99b2d36a4d103289d18f5c2130d9cd
-
SHA512
a4361d6fcce73f3f23b74dac23ec5214dd1b9fbcb77334865b9f1b08295fceea3eb3506b7c0be838c844a29f7bf4a52bd0b4f15c664f2c4fbf67e279f370e0f7
-
SSDEEP
6144:b/MU8kflMzSVR8Knlt+5MTv4tCPUvTqKqnM/k:78kflMzSVR8Klt+5MTv8c4T/qGk
Score1/10 -
-
-
Target
Password is 1234/AuthBrokerUI.dll
-
Size
144KB
-
MD5
9c3e3021cba53ad908efdecbccc97500
-
SHA1
3f4fa54297fd85b5b03646f0eca55821e7659010
-
SHA256
5a9fb69412f3c411f14b67fd215bdf8e2623799e635b454b2b768993224399d4
-
SHA512
9a6f5fcf4f0aedb57949936b8f7fb64fd7f464db22ba19075a8168b3500d37de483064ef310cbc22e81907cf72024e96a9132e23a569b97bf3dab2fccf20bebd
-
SSDEEP
3072:fSfASjUhL0pBUMtOaR5ggNF/VRclc9WOdTcrg6vrwH8PU0HZO7+WS5SaH:fBSjUhL0DUMtOaR5ggJVqlKHZcrVTwG8
Score1/10 -
-
-
Target
Password is 1234/AuthExt.dll
-
Size
76KB
-
MD5
f4917a18dc1124d7c286de63b2fb71ba
-
SHA1
a45a91f21e02de2432c576e5af704da291ca8f6b
-
SHA256
9454efa34febf65d5cb07aea69b7632b143510ebbfc77086244f99a072451410
-
SHA512
067510d46399e2a437c9c114a7334ce6f154e50b9a66be8fb597ae27de795433036d63bf7c117ed4c9162a8bd78875d970cff2da496280ea936daf78b421dd29
-
SSDEEP
1536:GYAdZDTW6HpClmwZORZJzp4XFbYPMtpbtEFRpVc:GYAdZtpscx4XF067yRpW
Score1/10 -
-
-
Target
Password is 1234/Ruin64.exe
-
Size
10.9MB
-
MD5
e577cb081e2cd5fb03fe71d56ff14c63
-
SHA1
c4aab6e0c57601333b5df3ddd683a65132168802
-
SHA256
e8bcc69e48479f766179aeeea50eeb3034971527d03920d60795a8c532dd867d
-
SHA512
f2b049e77818bfe8b011e729068c7b005dfcd1b5a25790c99e09360db2180ac649dd89f8a2976fe11cfa5c21c7d10d3e0c84c9ab97502ab487e918968f86c4a6
-
SSDEEP
196608:WxBo264KAF/cemXyuSyTde8zveNK+wfm/pf+xfdkRbgxKEr2WOHWKD39eH:kFjtByxjgK+9/pWFGRbg0Er2W673MH
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Exelastealer family
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Modifies Windows Firewall
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
Password is 1234/auditpolmsg.dll
-
Size
104KB
-
MD5
3b2639e73ce1708a48589f68e57b8a1a
-
SHA1
946ccbfbfeb3379f257981fb8bccd741a21097b6
-
SHA256
6246ca4ce424a90025cb1be7166b331849c8630f2400094f79a75893c328ef4f
-
SHA512
9bb659328a6815ac0ba28ab757097129b1288ade369be655b5c61cb531f1ff78736e5748b6282a7288eac17c08888b0bc5672b87295e93c7b8f9d47fb030fa3f
-
SSDEEP
1536:hZ59sSnIh8Pxvp1Jz1mEmzJ0RtW9yBozETuEGeJvO41ZZnr26:hZ59d7PxB3m10RgFz/4vB1Tn1
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1System Information Discovery
3System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1