exelastealer | 1f3ac725f48f2442886bfafab79345396961c4dc15b63b9904c5a6cc0328fb8e

Sharing

General

Target

PAYPALOTpBypassTool.zip
Size

78.9MB
Sample

241215-k3x7xs1nhp
MD5

0c9d7d19836ff3aed99feed740cd8d91
SHA1

6f7744bfbef888350b88174f043da4df67af9095
SHA256

1f3ac725f48f2442886bfafab79345396961c4dc15b63b9904c5a6cc0328fb8e
SHA512

3b77352bdc3431ce4b9d821cb7a38d7bb4ede4272a6163d51b99ee80eca8835a91740187c93b8e848a484f5b2ec655d97ab4abfb1a678f8ccbc2d1e7e5aed9ea
SSDEEP

1572864:F/wMAW9nQn1avuG90ouo8OlKbpeROas3RVG3CPtp8MCUB030wPju:pmjGz8gMJaJMJikwPju

Score

10^/10

Malware Config

Targets

- Target
  
  Cracked by CRAX-it v3.0.1.exe
- Size
  
  72.0MB
- MD5
  
  6a2030444c1f3d86deec3e47ad9f8d05
- SHA1
  
  241d5b89f494a7602dea839a63e71a06762b2d4e
- SHA256
  
  1d4cb2cb2a9dedd9558e29c069a9731aec5f812bb4f80d2e7eb2e80fb4bfb0d8
- SHA512
  
  160ab0e00bf95083720f63b23b345c66b19a382ea32ae5c045e7159532223f0d043535d2a90b95682c70ca8276928bc18d9fa6c3e9436708b6f67986d161ba7c
- SSDEEP
  
  1572864:4TdqoapvcLvFPI2RYOC+GwHubz43ycE3BbToHC3PVmuUSN+:Evi2ZGKCBovuLM
Score

10^/10

discovery pyinstaller upx exelastealer collection credential_access defense_evasion evasion execution persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Exelastealer family
  exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  DotNetZip.dll
- Size
  
  462KB
- MD5
  
  79c304e621ffbb4611b698dc2fb9dc41
- SHA1
  
  30413ad0c9e2f955ec43ed9dceb156edb11c419c
- SHA256
  
  46103e4d053be472f1c85223a43e179a5f022df14607febf6f48837473bd3e9d
- SHA512
  
  fef8764cb5f15444ef8dc6877bfd45133af019a87158c701a95c87f3297e32e27607daddbf4aa365133d60fc3f449acfa4f5c003ffd478c59d7940154d9ab5a9
- SSDEEP
  
  6144:iF4lenKdxBoW6iev7zBIL09vdGtSV41kJDsTDDpBnse6OVxLV/xgaqYN3fmxalo:iF4lqKdxBdheDES4csRBse6sfzVca
Score

1^/10
behavioral3 behavioral4
- Target
  
  Entropy.dll
- Size
  
  104KB
- MD5
  
  d45282966db7731687135c76963634a1
- SHA1
  
  8f217e0b15846a45f7e6e528e5f99ef425efe4e3
- SHA256
  
  68310ea51caca38b53b4ae3d5eb7a24127da4b1021c36963e77a0dacf4aeff73
- SHA512
  
  98f1035130a3126fd1613f1ab23c5328a763d56dd2b211d12ab2a17529a3ed1c2542a8f00cfa3ca7224e1d7d9e2dff378dd90a8adcd72f1566175308c038d943
- SSDEEP
  
  1536:GaQAfp1LJb4vLl8JWOKweLZjdtey2+0A1afQ9EUWtgCNC40fa:Gifp1LJcjl8JWOKweRdEykAWtgCGa
Score

1^/10
behavioral5 behavioral6
- Target
  
  HandyControl.dll
- Size
  
  1.7MB
- MD5
  
  f68e64637ac34443ab8fb83bbeab2bf7
- SHA1
  
  82e5a63b21f02ff3ac651a203523fb473a1aead5
- SHA256
  
  471a6ce1aff5b635df599f21cf3e4894d9e893ec9d42d733f9f5c3672bdb8383
- SHA512
  
  e41119634301244331eae3ed13b3a739e68b2a45a1f8c08949d37bce7d189687568cc19c382749ab906ef536305bd1f14d4462e2d27667af256fb047d1eb4eb0
- SSDEEP
  
  24576:qwr+FdUo+3uuobzeXEF7qpILuLUiOBqiIiGiXiIi6ioIP7cTq2b6s8uUpWGGv+dN:q1+3ubbzapdMvw0GcZ
Score

1^/10
behavioral7 behavioral8
- Target
  
  IpMatcher.dll
- Size
  
  12KB
- MD5
  
  66b5ee1af1d75592612e24bb1bf10072
- SHA1
  
  6a104e3338f1534a1233872574bf4e00535154d1
- SHA256
  
  318d50f35b83ec3a2f0fc339d4155c47d2d9ddf3444047934bbcdccef8167e39
- SHA512
  
  213af0bedef1c1e66169cce7509298b872f09e56972781ab3db6d2884c63200ea35d6e815b28d8fa97d92a385df3a9af80bc5b0c03d416e0551a327a199fb403
- SSDEEP
  
  192:2gZAuCfvti3mt3LjCm31CLiQST1YuDIl4TWQelDoFujH8Z:lvCfvti3mxLjCm31CLiQST1YuDIVTlDQ
Score

1^/10
behavioral10 behavioral9
- Target
  
  MailBee.NET.dll
- Size
  
  1.7MB
- MD5
  
  0b309ea2d92164c41937efc3c4a75cb3
- SHA1
  
  9ed899ea9f15c69d21b81f57d74d9d07c4d8cd0f
- SHA256
  
  7428e138a0b2a9e87f8c47076074d29e8d9ba18e07784db6d568ec15cde88bbe
- SHA512
  
  4695fc4e240e1a3ec8ec14f984c3c0191e4c265ea9b7bb44529bf54fd4365d2d09cf5110138c66896ab71512c7b7a36da0eb63202047e705375a4ea1467eb6ae
- SSDEEP
  
  24576:dDMgcE4ilhMM9XBav0OvQRka9P7mijqMaP7P:dDMgcWfMM9XBQ0Ov0mi217
Score

1^/10
behavioral11 behavioral12
- Target
  
  Microsoft.Bcl.AsyncInterfaces.dll
- Size
  
  16KB
- MD5
  
  1e79035fda3aa29bf70f9df1023ce3ca
- SHA1
  
  847ab97b81dd1c83ae196307b52d8ae983ec5b8f
- SHA256
  
  fc3827cfb6834f0ffa6cb76278f309a3b598ae01c751f13fbeb57886e4168943
- SHA512
  
  338550a154ce6f876e101c5d66cd78a04126ab9236c3fd1ebc124ee9db1b72f8a16f1ed6f857fb773581326ac5fc808939b7d3c9fd529123137b48ef4bf9b768
- SSDEEP
  
  384:DOJWqnwnBbNA1kq40VES2j0cX6dAl+NW2VzrdcmDqxRWeq/Ws:DulwnBhYlTVv2wK5idcgF
Score

1^/10
behavioral13 behavioral14
- Target
  
  Newtonsoft.Json.dll
- Size
  
  679KB
- MD5
  
  69c1a967b27ef8657e8c6665de47527b
- SHA1
  
  34bb58f3d27335bd055d297bc52ce2146698d711
- SHA256
  
  3be4fda7b6bd04e9aeaabf973ccc952afb5c0a6aa0fa672831ca82df218df84a
- SHA512
  
  1ee211079618d3b019e0b89d984fc8fef5ad359c312104eee46ce5ddac74271f70fe0d61967e7fc325d7e0181760ca265dc547300237c32f2e35ecc14d3b7f58
- SSDEEP
  
  12288:CLnRIXzZu/3yNFCU8xF6xc8yNRaVjI3QMDajj1HiiiR8MJhBB0ihT1fWNUwHOvWG:inR0Q/3yN4U0Wt6MBCjCu
Score

1^/10
behavioral15 behavioral16
- Target
  
  PresentationFramework-SystemData.dll
- Size
  
  8KB
- MD5
  
  dca6f1b8644df5d0890a7dbc6411e86c
- SHA1
  
  27066bf658df2d398aad6003ae8496dcf015a4d5
- SHA256
  
  48883bd04158c2456ea1be831b559b594fb86199c0d9618e7c3fde45a986ab26
- SHA512
  
  046020ad671d37935eb674988186eb6a8a28b093887f572a4604781be3f8fc6d9df96a00580f352789bdb7ea0f8ebaf6ee3cf13c6be5118bd1df290a3487742a
- SSDEEP
  
  192:cmBvnnwQh8N/UH6AKwBz1o5fDzupoiuhuWHsWYSW:cmVnn98N/Y6m3o5PPiu0WHsWYSW
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  core32.dll
- Size
  
  238KB
- MD5
  
  4e6a7ee0e286ab61d36c26bd38996821
- SHA1
  
  820674b4c75290f8f667764bfb474ca8c1242732
- SHA256
  
  f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
- SHA512
  
  f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a
- SSDEEP
  
  3072:6sGTNBBPt3lBtx5ebLDCc0p00JakwEn0ZtAq0nHHdNwooe+6t3ieCx9UWPrcFw+z:ID5t3lBrGdkwFi3HHdN1Zt9CxVgeH
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  drivefsext.cfg
- Size
  
  211KB
- MD5
  
  59238144771807b1cbc407b250d6b2c3
- SHA1
  
  6c9f87cca7e857e888cb19ea45cf82d2e2d29695
- SHA256
  
  8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
- SHA512
  
  cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220
- SSDEEP
  
  3072:CFITGLr+kmeUE2+YA8zuxD1gb/uVVohUFVEovODl9ply5nk/7K1bjT5h3qs:CbLUEkAtvaumhUXvwl9P62
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  lib.bin
- Size
  
  2.6MB
- MD5
  
  0bd541037d1794d63bb58654f1e897c5
- SHA1
  
  a901fc2bc1fcc672b6dfee0d3e93b4ca8f11c710
- SHA256
  
  2e8931e43c5674bc641651868ef311e2d3407e0132325c0795bdf4f5404fb30f
- SHA512
  
  85412b5357e65ceebdd1f460e4764e3b5b11c242250500f9f55fdbaa0d2c6aa15cf0f68f7e1d88369a013a2d16c95e235db68dd48590e306de59cf01fb7128c9
- SSDEEP
  
  24576:rVsQ6BKfC+CWDU2fy6Uuri8MmOmbCYUz7PH8Zeaj0HM3ow5Xt:rVeBB2kMOnYUvPb
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral23 behavioral24
- Target
  
  x64/GoSrp.dll
- Size
  
  2.6MB
- MD5
  
  8f5f6ee061242d609bd05b48479d887a
- SHA1
  
  0005089c13ba90f2d150a6e117bf463a6e28af54
- SHA256
  
  6b7778f1c17b1a2d48970bdec81f1f1436066c662222ffa8200dee7c3fe610c2
- SHA512
  
  f4eda39b2bf9fe358cabb31e5f839e12704598505c16d6dd26550a5d1fa05775d34bc0ce6f631f4e3db95072630b60968cbe59d146055f87d197c9153dcdb1aa
- SSDEEP
  
  49152:IW/gxY8qgo2P+vrBQiDSLDBK31Al++gMrL+:cxYJgo2o5k/gEL+
Score

1^/10
behavioral25 behavioral26
- Target
  
  x64/SQLite.Interop.dll
- Size
  
  1.7MB
- MD5
  
  1288823e8e1fca09bb490ce46988188d
- SHA1
  
  b07fe4a5d032296e3a7d0727216af8c1d2166e91
- SHA256
  
  6514973856d1767ccb375dcb253400e710fb4f91feb758041d8defe92b1886c5
- SHA512
  
  88967f64116951092a54118055eab462082f16676ea7565f42515e88765813b53cdfbba5181318e73b668e04ddd030a0bfcf5cf47936772f68df85488b865acd
- SSDEEP
  
  24576:xcpbyKNk5l/+ddQOJ3e4vYb0XrdhCplVv1GXOO4PmhFGYHnRELAqqU:SpbB0l/+d1c0RIJvGZ2anYqU
Score

1^/10
behavioral27 behavioral28
- Target
  
  x86/GoSrp.dll
- Size
  
  2.3MB
- MD5
  
  b1e99d702b0324e19b8cdc5aa8c9cd2e
- SHA1
  
  1473b708f7c516dc31612c74cb773396f3f7ca93
- SHA256
  
  e2a69763eb347b86c5426a5028650388be585df43cbf03beb576acd095038296
- SHA512
  
  3afec80909a88ffa8a760c6b156e998504f148455bf514512bc8812e390c59835e9a8cce57b041154c894915e47c40750eab66d84c4d7eb1f0257cf177481442
- SSDEEP
  
  24576:Z3rEK7jLQfvtqvZ8UaqvFbK8qUhk8GJXiV6doA+4MHPEBm3KXUQwFAR8YtVrm7C8:ZQdkK8qU6BWStV+Cz8MVZ69rF1Mr3iHr
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  x86/SQLite.Interop.dll
- Size
  
  1.3MB
- MD5
  
  9b68a8d0393fbce1976c19107422f097
- SHA1
  
  b645fc9aff04f1de9d31d4c4b965ae0a1e3549d0
- SHA256
  
  f16dea838efc5b074f8d8b2f8e14ab77ec744648b1d5dd550456c2f99c12bbdc
- SHA512
  
  7989b760012fcab665591c2528d8ecaead09cd9cd74a7208ef6177b36581d381574d007a31bb4c55da7bc793000bf71be546b1caec59c380ab8962ea2b719933
- SSDEEP
  
  24576:Od/jGQ1cL7Y5POF9y4Fsiem2gUJ4TmrQD06dr13TkhGb2/FJC//3bpdR:OjGQ1QKy6rQDFdrRIJ6//3bpdR
Score

3^/10

discovery
behavioral31 behavioral32