Overview

overview

10

Static

static

3

test.exe

windows10-ltsc 2021-x64

10

Stub.pyc

windows10-ltsc 2021-x64

3

Resubmissions

11-12-2024 09:14

241211-k7crsa1kal 10

11-12-2024 09:12

241211-k6m65awmes 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.exe

  • Size

    45.8MB

  • Sample

    241211-k7crsa1kal

  • MD5

    45cadf54d5946e1d998f1092a958b294

  • SHA1

    d9ef974e3f0618efd405e41fcd12632194b9e61a

  • SHA256

    ace0431aea0f488455755fdbb0b38b6580dcfc4c27df7cf15f9cac41a1c57dbc

  • SHA512

    d8bdc9e2ef6dc21f0738d452508fe82c3f408b128dc7d309e8cc109422f925dfff4f2d65529404553d5c0cf338b1761be9abc81523574eda0d4b6ee5a23b6be0

  • SSDEEP

    393216:tB4Dqi1m1Nqao+9/pWFGR+e03r2W673KH:tBsqMm1Njo+9/pWFri36

Score
10/10
exelastealercollectiondefense_evasiondiscoveryevasionpersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      test.exe

    • Size

      45.8MB

    • MD5

      45cadf54d5946e1d998f1092a958b294

    • SHA1

      d9ef974e3f0618efd405e41fcd12632194b9e61a

    • SHA256

      ace0431aea0f488455755fdbb0b38b6580dcfc4c27df7cf15f9cac41a1c57dbc

    • SHA512

      d8bdc9e2ef6dc21f0738d452508fe82c3f408b128dc7d309e8cc109422f925dfff4f2d65529404553d5c0cf338b1761be9abc81523574eda0d4b6ee5a23b6be0

    • SSDEEP

      393216:tB4Dqi1m1Nqao+9/pWFGR+e03r2W673KH:tBsqMm1Njo+9/pWFri36

    Score
    10/10
    exelastealercollectiondefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealerupx

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Exelastealer family

      exelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      Stub.pyc

    • Size

      875KB

    • MD5

      7e9d3f7f7059096cca31cc842cb6955a

    • SHA1

      137a42a6781049d3385e4204bd6e8f2d9bb40a9a

    • SHA256

      b3026f4c80eb87349337bc71d4e9aaf89676ca17cd7433c9cd79637976af1df4

    • SHA512

      cb61086fabbf608b213c14be127d3a81330f729da42841699ed2e10def7d9e70c92afa2a1cc7cd3f43559e39d9f0d208650011eebe5a387ade7a22d8b9f7e71c

    • SSDEEP

      12288:Nw9LB7gEqhT8tc/4v5JZEKXRx00gCNlcajld1nBefqbFBX30xqqQ9a0wv+tp/pUw:ELB7g7dQNE+Z00m47Xu7yWe3qwvjB

    Score
    3/10
    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks