General

  • Target

    İllegalChecker.exe

  • Size

    12.8MB

  • Sample

    241206-wzh5dazrbx

  • MD5

    af07c2cf51596a75173523156e27297f

  • SHA1

    9f205a5a6e4ce65d3d313b1f5c160412fa04d58e

  • SHA256

    cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf

  • SHA512

    1bf467eb605f8dcdca18c5aec8402a7184b806737465fe2d1b2413d01cacccec8cee3a51e8523396d332dbacf1ce5b4b3aaa92f4475c9cd781bba6b9ad89bf08

  • SSDEEP

    393216:UJdkewtByxjBIn8iK1piXLGVEgMoEODXXs5kYHZsbAo:U+tAjhDiXHjoRLAsbAo

Malware Config

Targets

    • Target

      İllegalChecker.exe

    • Size

      12.8MB

    • MD5

      af07c2cf51596a75173523156e27297f

    • SHA1

      9f205a5a6e4ce65d3d313b1f5c160412fa04d58e

    • SHA256

      cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf

    • SHA512

      1bf467eb605f8dcdca18c5aec8402a7184b806737465fe2d1b2413d01cacccec8cee3a51e8523396d332dbacf1ce5b4b3aaa92f4475c9cd781bba6b9ad89bf08

    • SSDEEP

      393216:UJdkewtByxjBIn8iK1piXLGVEgMoEODXXs5kYHZsbAo:U+tAjhDiXHjoRLAsbAo

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Exelastealer family

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Stub.pyc

    • Size

      179KB

    • MD5

      d9233146f9e83880db5de4b4e30fbfc8

    • SHA1

      86c38962bbfcc36325f5b14b7483a731281cbbfb

    • SHA256

      c044d47320d3ddd7ce666b48f139f4342537627c5fda70f3231a1c3b949df7d1

    • SHA512

      c2ff5635317f498bcadee89bb18279a8afabbdf056b81b53c02ccfd98adef91c5d407bc8d8ba1afd80a8c3b50f28703227c40ac3aa2f61fae283111406b3bd96

    • SSDEEP

      3072:9zvEP7jJj7+vhLPGkno9sISP4eL2yI/SMxtzEcvSFrnW:9zva7BuLPRo9sICLKSgiFFrnW

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks