exelastealer | c4846d87be3066f1a83f08952bb31443c936e1b92483e0073a86a4e1532140ed

Sharing

General

Target

Stub.rar
Size

13.7MB
Sample

241211-exqb8s1khm
MD5

58ae6587fd5a3dbac3f8511197e14c0b
SHA1

1277909771e2cb83adcfbf64164ef90f795844bb
SHA256

c4846d87be3066f1a83f08952bb31443c936e1b92483e0073a86a4e1532140ed
SHA512

426db72277c69d9fbf0ea5ef089c2e7c72b2047590928d0a628ba2ebda22d9be968dc6a281da98866e3ffa635612893cc32e99b65d0aa2e78358ec6792b3be2b
SSDEEP

393216:t+r9nMSgZoe2LRswDXhINs0XZdQcF0Y09UhsnwgWMfh:t+FqyVsMXh6ZXZdQo0YoUhawgWMfh

Score

10^/10

Malware Config

Targets

- Target
  
  Stub/StubRUNSMALWARE.bat
- Size
  
  6KB
- MD5
  
  72bd8faf339e4e373f3cd3c87ab862d6
- SHA1
  
  bde1905839c1a752057f211fd739c39ace23a617
- SHA256
  
  7b7f24ca18e76f242f2e3fc32ac6d78f7bfd0ffd05c24d22a8959e0468cc3f8f
- SHA512
  
  ed41a0117b14cd6b29931fb265094f300810f7d5d8c13658e4673efce37cfa053a71f935012c09e4bb825929aca8eb3c6b7a3a5bc0a87b6bfea3d24d3bfab968
- SSDEEP
  
  192:B9rfL8398nUo9rfL8398X89rfL8398XFH9fH9e14Hh:gT
Score

10^/10

upx exelastealer collection defense_evasion discovery evasion persistence privilege_escalation stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Exelastealer family
  exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Deletes itself
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  Stub/StubUI.exe
- Size
  
  10.9MB
- MD5
  
  9b7e728587d7d0dbcf25cd48ec930c8b
- SHA1
  
  f13229010375df1648ac9a15b5bbd1c474b5331e
- SHA256
  
  0e8063bd94bbe3a80ce2259b80cf11988842aed383bfa2045efbde44df779aa4
- SHA512
  
  19c47f2ea1f113eff6ed9de45abc22d9b55d45948c3b68835331325a2766eca6903ace856aded93a1f5352f194f48df2d84fa458b8c81dfd886bd02938207406
- SSDEEP
  
  196608:RLc4kKASm9cemXyuSyTde8zveNK+wfm/pf+xfdkRixKEr2WOHWKD39eH:C4SSm/tByxjgK+9/pWFGRi0Er2W673MH
Score

10^/10

upx exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Exelastealer family
  exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  Stub/resources/SpoofAPI.dll
- Size
  
  1.3MB
- MD5
  
  95b428a94e88b2deea40423369c14adf
- SHA1
  
  17dd76cc438e245cff7d192f45a0173ddd34ae1a
- SHA256
  
  1cf19ba31cb4d465c458d81980d4a07dd1b3597550fe9bbbf005eeccb7ad9c6e
- SHA512
  
  47d9ba062b326c4778f4f44e8eb5f14ccd14b6511a955b169dc49b26d1db6ab8c2924cc3057ed580b348d213801693b17ea20e927bd5d77f0ed3ab14f2aac5e5
- SSDEEP
  
  24576:sIsoAeOjaoNwg7Uv4yZFhimuBaMvQBvY+Kj:SoFOjaQ1owyZPimuBgYNj
Score

1^/10
behavioral5 behavioral6
- Target
  
  Stub/resources/SpoofEnable.dll
- Size
  
  47KB
- MD5
  
  85628fd8d23269cbe625dc3a9143dbac
- SHA1
  
  3489bca2d367dfdb7a54a45df4f0922f427e6d92
- SHA256
  
  474a414482c33b404b9e48ed8973c748e046010fc6ac9b2fa3df9657074b81ea
- SHA512
  
  fe222c620c7f2f4567fe315a8b49a1aa786daebf20e3d4677342913212cd5fa59abf86a630e55bd4bf293b9370688d0b95de1c7723728c0d83d1be4e991e30ec
- SSDEEP
  
  768:xSVhfEPELPgbjlsSZlU9gBAeV1PFr71ocvm5QEEc3hxQc2Ia7+dkNaVij+PvGVlB:xSVhMdnls5qBAePFr7immbXu7+dJij+Q
Score

1^/10
behavioral7 behavioral8
- Target
  
  Stub/resources/SpoofInjector.dll
- Size
  
  1.3MB
- MD5
  
  fbd32ef93d8199755b4bff8a2bd9c01b
- SHA1
  
  80389cacd54110f585012463851db6e9f311915e
- SHA256
  
  1c2f025e3cd1d9ad69823f702b52449f1eeed553911632a456a1f1089ae75206
- SHA512
  
  8ee4d4320ee3aef16d0418453fe194390c426e03640a3862c0ff489c01cd497dc6064bdbe90b3a9337b78c985dbeb238008a440baddc065ae3d145da2570b9e6
- SSDEEP
  
  24576:KIsoAeOjaoNwg7Uv4yZFhimuBaMvQBvY+K/:goFOjaQ1owyZPimuBgYN/
Score

1^/10
behavioral10 behavioral9
- Target
  
  Stub/resources/SpoofProxy.dll
- Size
  
  1.3MB
- MD5
  
  45c2f37b8f06e6fed42b69b4abba88b5
- SHA1
  
  0b90660601e02898066c2c490533164af8e39f46
- SHA256
  
  0ff2c3004e8dd82ff5f16cadc6e582a36cb290c7cf307f49c3021bde340193c6
- SHA512
  
  0613b6b34912b2fb123a73a8f3054e24fffe3a3538735c2326ee7b622f2374c20365b454f403a37e70592d4a33fc0782fabf70e0ee9cecd933129c59ff023278
- SSDEEP
  
  24576:sIsoAeOjaoNwg7Uv4yZFhimuBaMvQBvY+Kb:SoFOjaQ1owyZPimuBgYNb
Score

1^/10
behavioral11 behavioral12