General
-
Target
İllegalChecker.exe
-
Size
12.8MB
-
Sample
241206-wzh5dazrbx
-
MD5
af07c2cf51596a75173523156e27297f
-
SHA1
9f205a5a6e4ce65d3d313b1f5c160412fa04d58e
-
SHA256
cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf
-
SHA512
1bf467eb605f8dcdca18c5aec8402a7184b806737465fe2d1b2413d01cacccec8cee3a51e8523396d332dbacf1ce5b4b3aaa92f4475c9cd781bba6b9ad89bf08
-
SSDEEP
393216:UJdkewtByxjBIn8iK1piXLGVEgMoEODXXs5kYHZsbAo:U+tAjhDiXHjoRLAsbAo
Behavioral task
behavioral1
Sample
İllegalChecker.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Stub.pyc
Resource
win11-20241007-en
Malware Config
Targets
-
-
Target
İllegalChecker.exe
-
Size
12.8MB
-
MD5
af07c2cf51596a75173523156e27297f
-
SHA1
9f205a5a6e4ce65d3d313b1f5c160412fa04d58e
-
SHA256
cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf
-
SHA512
1bf467eb605f8dcdca18c5aec8402a7184b806737465fe2d1b2413d01cacccec8cee3a51e8523396d332dbacf1ce5b4b3aaa92f4475c9cd781bba6b9ad89bf08
-
SSDEEP
393216:UJdkewtByxjBIn8iK1piXLGVEgMoEODXXs5kYHZsbAo:U+tAjhDiXHjoRLAsbAo
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Exelastealer family
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Modifies Windows Firewall
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
Stub.pyc
-
Size
179KB
-
MD5
d9233146f9e83880db5de4b4e30fbfc8
-
SHA1
86c38962bbfcc36325f5b14b7483a731281cbbfb
-
SHA256
c044d47320d3ddd7ce666b48f139f4342537627c5fda70f3231a1c3b949df7d1
-
SHA512
c2ff5635317f498bcadee89bb18279a8afabbdf056b81b53c02ccfd98adef91c5d407bc8d8ba1afd80a8c3b50f28703227c40ac3aa2f61fae283111406b3bd96
-
SSDEEP
3072:9zvEP7jJj7+vhLPGkno9sISP4eL2yI/SMxtzEcvSFrnW:9zva7BuLPRo9sICLKSgiFFrnW
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
4System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1