exelastealer | hxxps://objects[.]githubusercontent[.]com/github-production-release-asset-2e65be/764758656/747af394-9e4b-4111-baf2-c35b93843380?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250127%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250127T191730Z&X-Amz-Expires=300&X-Amz-Signature=4737f19b7a219d2b5fb7f4ef47747cf388bfa593e3ad3681e953c22406191062&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DGhostChecker[.]zip&response-content-type=application%2Foctet-stream

General

Target

https://objects.githubusercontent.com/github-production-release-asset-2e65be/764758656/747af394-9e4b-4111-baf2-c35b93843380?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250127%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250127T191730Z&X-Amz-Expires=300&X-Amz-Signature=4737f19b7a219d2b5fb7f4ef47747cf388bfa593e3ad3681e953c22406191062&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DGhostChecker.zip&response-content-type=application%2Foctet-stream
Sample

250127-xzwadaslbv

Score

10^/10

Malware Config

Targets

- Target
  
  https://objects.githubusercontent.com/github-production-release-asset-2e65be/764758656/747af394-9e4b-4111-baf2-c35b93843380?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250127%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250127T191730Z&X-Amz-Expires=300&X-Amz-Signature=4737f19b7a219d2b5fb7f4ef47747cf388bfa593e3ad3681e953c22406191062&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DGhostChecker.zip&response-content-type=application%2Foctet-stream
Score

10^/10

exelastealer collection defense_evasion discovery persistence privilege_escalation stealer upx
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Exelastealer family
  exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  defense_evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1