General

  • Target

    OrionCheckerPTOV2.zip

  • Size

    36.2MB

  • Sample

    241224-bxc55ayjbn

  • MD5

    5efb2675d3b4a4f3b8621c2e7b2b8a98

  • SHA1

    45894c2debc8cc219ebd14616e25f04a256772a1

  • SHA256

    d8ed4a8e561b6ba347b87fba4bd13b4c7801255cb3502ad5af14a04d5c8f6205

  • SHA512

    2b44a6d1f17b2a2917370bdd901ef974be5e21c848c57979c51db3d6852601286d8ed9214c09fb18ad31770a498fd0be59e19a93fb8c9816301b5faae859cc80

  • SSDEEP

    786432:5I85pAdBxH3EYIANEOiGXodHhH7RLmvGzofvRTCGXDS39bZ3Hb/:QL9EY/+Ov4dBHNLmvx5C0S33Hb/

Malware Config

Targets

    • Target

      OrionCheckerPTOV2.zip

    • Size

      36.2MB

    • MD5

      5efb2675d3b4a4f3b8621c2e7b2b8a98

    • SHA1

      45894c2debc8cc219ebd14616e25f04a256772a1

    • SHA256

      d8ed4a8e561b6ba347b87fba4bd13b4c7801255cb3502ad5af14a04d5c8f6205

    • SHA512

      2b44a6d1f17b2a2917370bdd901ef974be5e21c848c57979c51db3d6852601286d8ed9214c09fb18ad31770a498fd0be59e19a93fb8c9816301b5faae859cc80

    • SSDEEP

      786432:5I85pAdBxH3EYIANEOiGXodHhH7RLmvGzofvRTCGXDS39bZ3Hb/:QL9EY/+Ov4dBHNLmvx5C0S33Hb/

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Exelastealer family

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks