Overview

overview

10

Static

static

8

Exela-V2.0-main.rar

windows7-x64

1

Exela-V2.0-main.rar

windows10-2004-x64

1

Exela-V2.0...on.txt

windows7-x64

1

Exela-V2.0...on.txt

windows10-2004-x64

1

Exela-V2.0...ela.py

windows7-x64

3

Exela-V2.0...ela.py

windows10-2004-x64

3

Exela-V2.0...ICENSE

windows7-x64

1

Exela-V2.0...ICENSE

windows10-2004-x64

1

Exela-V2.0...obf.py

windows7-x64

3

Exela-V2.0...obf.py

windows10-2004-x64

3

Exela-V2.0...ej.exe

windows7-x64

7

Exela-V2.0...ej.exe

windows10-2004-x64

10

Stub.pyc

windows7-x64

3

Stub.pyc

windows10-2004-x64

3

Exela-V2.0...E.html

windows7-x64

3

Exela-V2.0...E.html

windows10-2004-x64

3

Exela-V2.0...px.exe

windows7-x64

5

Exela-V2.0...px.exe

windows10-2004-x64

5

out.exe

windows7-x64

out.exe

windows10-2004-x64

Exela-V2.0...der.py

windows7-x64

3

Exela-V2.0...der.py

windows10-2004-x64

3

Exela-V2.0...ll.bat

windows7-x64

1

Exela-V2.0...ll.bat

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Exela-V2.0-main.rar

  • Size

    9.8MB

  • Sample

    241225-zzapsaxrgr

  • MD5

    59df2ac94e4230fff7d1b49288c1bea3

  • SHA1

    a20979f7b65a9c0b401727ad18983a6160b012e4

  • SHA256

    b7dcd530d64dcc98af9da6f3b89d32aa6771b060c994028e6d9e41ff1da26abd

  • SHA512

    51e51bfebe590cfb62786df553324770c2123a02199ab07bda18281fabf55621bca9363a2d2632f81ef670f2cb092d5f33075fcef6185a444c9dd0fbff2bb6dd

  • SSDEEP

    196608:AWkS0XMI7v0bxC5icCLdzSHlB5/1JkOzaqCpg6P3ScyaY:rkb4bxRcCdCB5/wOPCpg6vDtY

Score
10/10
exelastealercollectiondefense_evasiondiscoveryevasionpersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      Exela-V2.0-main.rar

    • Size

      9.8MB

    • MD5

      59df2ac94e4230fff7d1b49288c1bea3

    • SHA1

      a20979f7b65a9c0b401727ad18983a6160b012e4

    • SHA256

      b7dcd530d64dcc98af9da6f3b89d32aa6771b060c994028e6d9e41ff1da26abd

    • SHA512

      51e51bfebe590cfb62786df553324770c2123a02199ab07bda18281fabf55621bca9363a2d2632f81ef670f2cb092d5f33075fcef6185a444c9dd0fbff2bb6dd

    • SSDEEP

      196608:AWkS0XMI7v0bxC5icCLdzSHlB5/1JkOzaqCpg6P3ScyaY:rkb4bxRcCdCB5/wOPCpg6vDtY

    Score
    1/10
    behavioral1behavioral2

    • Target

      Exela-V2.0-main/AssemblyFile/version.txt

    • Size

      1KB

    • MD5

      b13f73267d6a3e865a941bf7bb817d19

    • SHA1

      d316522907e81cc1a276e9ac8f31ffd3fbfda75e

    • SHA256

      5c7da4bf53b1ebda26683c75e5c03d1d062683d4f1af10db939ba334787136cf

    • SHA512

      cd1fa569e55c490d0546a50b6dfecbc3ca265fba8566c33d25bd3e6d173366781d0dc1d11bcf5606322ba64926fed815c3d54184357c4afef72647cda89aa274

    Score
    1/10
    behavioral3behavioral4

    • Target

      Exela-V2.0-main/Exela.py

    • Size

      140KB

    • MD5

      53d0f2edf910d03bf6a5b2a2806adf02

    • SHA1

      48beb9f2cca54ffc5e19c829bcaf03b167ea7eb4

    • SHA256

      ff0b26b330f3bddc1a9eba6dae2bc4f8609fc85592f8f3c6344f2907a7a57cf9

    • SHA512

      f4cb0a556441097021a53c09105793fc7cca4240b1471a486b665849fd2d498afb007485bec284b02e4a68aec012e6e4b6b31a6e56ac712a925e66d76008b866

    • SSDEEP

      1536:7iYj57SAiFZ49jKyZrwnuHHAz2yv07Q5lnpO0yZdaC12J0vGULqDDC/+0M4ToxK8:B7JWewygludaC2JwNYC/+sl/0

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      Exela-V2.0-main/LICENSE

    • Size

      1KB

    • MD5

      f57ba58cdbeb92901c54411f17778ecf

    • SHA1

      c8a7afdaf560972b15d3455b1634ffbee230c7ff

    • SHA256

      61942d31cc5c5791bf214fbab7de4649fb4d15d5e058b2646d9ffbf40bffcac5

    • SHA512

      536c29c8ab24fc4b03fa153cc79189a42c5eb9febb917c3460b342f93c35ef83c52e0f5f0e042dd7a25eff612094616c96e9bd9aee42423d7edc158f61701bfb

    Score
    1/10
    behavioral7behavioral8

    • Target

      Exela-V2.0-main/Obfuscator/obf.py

    • Size

      6KB

    • MD5

      bfbf108641c41832ac8584a6b85960cc

    • SHA1

      978719dd1d5bf0c64138d1b5082bd2952fe99f5c

    • SHA256

      2ba721b0f3311123399cfa098502ad53cfa4e8e0fe6ce0de65ed2c84ea1c1101

    • SHA512

      5084d394f375de4e741da68c35387793496c8c7c7b178c40cbfa3c50fa91e99cb28cace978ca9abb4155d68adc94ef6106ab690a808285eb3e9e27e23f10a1a8

    • SSDEEP

      192:wtcWEKm7AwfMIB/fGPEPPP8PEPyPkP/PyPfPyPtPyPaPyP+PyPMPyP5PPP8PpPyV:qpm7AQDNGPEPPP8PEPyPkP/PyPfPyPtw

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      Exela-V2.0-main/Pavica je okej.exe

    • Size

      9.4MB

    • MD5

      5eb5901afa6e48e9b500abfdc285b91b

    • SHA1

      d0ad34b6b401697f6b5b9c99ba5aefbed9d63ead

    • SHA256

      6bb46c9085a11993227500872b13a137bc02eb41bca919659cc005fabca386c1

    • SHA512

      f67ce9ded25a724fd0972ad3b33bda4dc7e158bfa43fad8f4342aa9993a834ccec555e6ddb5fd483dbee40d28324572212edf21261407fc7e539ae825a275b04

    • SSDEEP

      196608:KbG2GMYxmvNm1E8giq1g9KRDOlrJlpZstQoS9Hf1BKXTHK/CCh:MG2Em1m1NqVR0BGt7G/+HK3

    Score
    10/10
    upxexelastealercollectiondefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Exelastealer family

      exelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      Stub.pyc

    • Size

      799KB

    • MD5

      a711821c22afce825c9b564004ea432c

    • SHA1

      6bf433a7cc496c6be49f410b59c267f01759ae33

    • SHA256

      7af14482972d9014df3720889e492a98cc08fa19e0976f84b277f2f75c162904

    • SHA512

      333c9941192e3d0418c2cf816442c77317a180c5776ef1d41a23012e6828b164c622e79027057e10cb79e2ef13ef8095c710cc6b337c69723bb9962a61666105

    • SSDEEP

      24576:mTfXe/2RW9pZZ3F2EHkuaOAQa32B+GA4/ThF:mVwVH1Na3XGAg

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      Exela-V2.0-main/README.md

    • Size

      7KB

    • MD5

      5a9c53cab4888a16488776dabaa8ffa0

    • SHA1

      819665cd8bf93032d177243a8c88a0414a5f67de

    • SHA256

      862c3d6ddfa842f83fc5106366c8e761edda554dcb6e1d8c54b7078995c49e31

    • SHA512

      f3cc668d6994c2877bb3ba86f1a49d2535656f030c25aae4a1ec101cf0ab7b4e78414ef00a0b0c820a9870145fc297ae4072c7711ccefcc1057435194a3ed274

    • SSDEEP

      192:vSWDPtBfIaR6kBxowZq3THlWmpBwBOXoslY705N:vSWDVBfIaRBxowZGTHlWmIUXTYAj

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      Exela-V2.0-main/UPX/upx.exe

    • Size

      550KB

    • MD5

      39ecdf78cb357513d1fd565c5e9edbdd

    • SHA1

      433bb8e090e48ea304c89bab1bf1b5defaaa08d7

    • SHA256

      1ea92da93eeaf4d456114b847b9bddfb47ef854e7c24143f290d5e3f44973e91

    • SHA512

      e83f04a8f7f5ffe257747f5b294d17d386ce700f4c59afa6ab9c4995be8ae33d34add425472722538c429ea0decd797393d5316d620df6d2895c2930e2474efb

    • SSDEEP

      12288:G5ngMB4arMslBeWZdK8hXN4f0K2YQpDZOBEVOEA/ToKrkW1A9N3:G9g349lPZdZ8Mg6+hB

    Score
    5/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral17behavioral18

    • Target

      out.upx

    • Size

      2.0MB

    • MD5

      d1c154f7759560c82691959e4f68fd19

    • SHA1

      60481cd8a6ccfc3d4a38992725f0e2315b43ff8f

    • SHA256

      7b9d20097706b569d6e183372cf433739d9dedc2dcd5f955d8906f6b18e123f9

    • SHA512

      a5fa3ea28026197bc5436a0b7dfe0d6e9a46a36e3c1e3de853bc1ba9caa157f100151dc14de196101953d3491bf407e4a519d4fc2e65ac0c08b5c47b4f5f780e

    • SSDEEP

      24576:Wwdc9ilRcNNifj+Wf5jgz+8K7Ik66dT3gR/prvCHtg6HzRziD:WAlRcNNDy8IIktwvCRz

    Score
    1/10
    behavioral19behavioral20

    • Target

      Exela-V2.0-main/builder.py

    • Size

      9KB

    • MD5

      c334e5c6dbdc27f8e8b48d1dac286f23

    • SHA1

      4bc5853e91ad009c82efb16b8b4db489ea762995

    • SHA256

      27ebc271f47bd76b63b5f3aa36b7f0587f3bd543c9ca5e0e89719df54ef82f73

    • SHA512

      2de1d4879194e664d5d0911d1c36b6bf7c89fc25e86890e7028398c657ecb667564df08db7d7436a04a3cf7b1db30eb8ecd252b71281ca7b1523139871c47a13

    • SSDEEP

      192:+m8jnYv13epp3UfI2Pa/fcjzgLu1krJUPjDxsOl/Zapl:+m4nM1upp39V8ELblU7DxsOfw

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      Exela-V2.0-main/install.bat

    • Size

      877B

    • MD5

      cd480b40656a01015f5c7e16832d3384

    • SHA1

      c446c9cb3a534d9ea432916bbd04b466a07d4521

    • SHA256

      c2863c67203376c14e8f2c64e16f65185d2f1272c75fe9d6b43f301ad1181d64

    • SHA512

      0504e98fbb276374b9c3aa8edab36154b412934269d1cda99e8b0742c0f1071326cc3ad5e08e51446421dcedcce362ef6d51e22461a4267ed92f3abba0e87576

    Score
    1/10
    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks