Overview

overview

10

Static

static

3

Nursultan crack.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nursultan crack (1).zip

  • Size

    25.5MB

  • Sample

    250108-j53dzs1qay

  • MD5

    bb66510badd72805792145efdeae31e5

  • SHA1

    3500558542ae07522a4f4f85b920fc4d1c59bd8e

  • SHA256

    c64c499aeaeca03cf24ed573edaabb4cfb9a69545963b073e559966bca63430d

  • SHA512

    92f4bbd57a8194755e22a7b5488abe1bb21ed8d2fe5ffbcf16d2ede9d221a20e0173f438b52d7f3051b716fed3c4fcaaef394f7874122f9a085b0458fd5ff084

  • SSDEEP

    786432:mwtkaAgdVeyiG5yWs8i6XrZvoc8xKdCHG:mraFdsuAWf3N

Score
10/10
exelastealercollectiondefense_evasiondiscoveryevasionpersistenceprivilege_escalationpyinstallerspywarestealertrojanupx

Malware Config

Targets

    • Target

      Nursultan crack.exe

    • Size

      25.5MB

    • MD5

      2a38a1cfd99d14237768eccaaf8b4d1d

    • SHA1

      c0c1c66d72490d1d0c6a5074b91bed8206985cc4

    • SHA256

      7d8303d7239270b1d3f001061933c478519f3e04f001701a24566770ae7f489a

    • SHA512

      ed1d45a26908eb3362d202ce0bf5de80fe960b97f2f0c3662b27598f2cad5869b8dca517d3f65d572ba70c6c32e8937a964c3a31f1bae8a3271d98a1ad15c993

    • SSDEEP

      786432:bSXOurfH6yvD2h/Zcvr2Vu6a3zy5bxxEhcMzMw5FpsD:bSXOuVscvryAyxchcm5UD

    Score
    10/10
    exelastealercollectiondefense_evasiondiscoveryevasionpersistenceprivilege_escalationpyinstallerspywarestealertrojanupx

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Exelastealer family

      exelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

3
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

3
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

Query Registry

5
T1012

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks