exelastealer | 912a8bf9175eb19e46272ad9a49a14e192e936df2e2801038778aa58c00de723

Sharing

General

Target

BLtools-v2.9.1-Pro-BLtools2.9.1Pro.zip
Size

21.0MB
Sample

250226-23cpnawwfw
MD5

99b64aac30a9cfa780eda9c5da5df220
SHA1

eccf241f53490535d7dab254c272d155506eaaf4
SHA256

912a8bf9175eb19e46272ad9a49a14e192e936df2e2801038778aa58c00de723
SHA512

60cd6d16ae52670c818ebfd20fe4e90c1d1d347bde3e35fa8a1c18a9f1c3d08536ba99da87cabf42d75bb4ef838f0719a5eeeed64673561205589451b5aa8f08
SSDEEP

393216:ZDD+tkooF69/sW4n5kbmNsUP+c+ZfhrWOjlTBSAI2tAVZVJNIo6mTjW8r5sNR:lCtk9SEVQmyG+nZfhKOJ4AjIHzV/nNsv

Score

10^/10

Malware Config

Targets

- Target
  
  Bltools 2.9.1[PRO]/AlphaFS.dll
- Size
  
  359KB
- MD5
  
  f2f6f6798d306d6d7df4267434b5c5f9
- SHA1
  
  23be62c4f33fc89563defa20e43453b7cdfc9d28
- SHA256
  
  837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd
- SHA512
  
  1f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211
- SSDEEP
  
  6144:QDyJst+jyCnzLp9hvHsPvPvPvS2JQvlojidPp:QDyJsvCnzZf4U1d
Score

1^/10
behavioral1 behavioral2
- Target
  
  Bltools 2.9.1[PRO]/Bltools 2.9.1 [PRO].exe
- Size
  
  14.0MB
- MD5
  
  59fa48be8a4b93d5b6264b3f30a42c57
- SHA1
  
  35af02f02568cf21d954a79972a3e1b9a88c14c1
- SHA256
  
  0a602136ae066c54d87a8d275fab10d34df115b49a3ea580b8c825a6c637a669
- SHA512
  
  4ae4485a3daae4cfb703b46ef76b1f9979bdef8e9b21d7d8527a5dd73d88e34c36ec7d08230469cd98981a15ad72104d98acd5ed64ca906282770b141d406065
- SSDEEP
  
  393216:jehC8odGNhEge3fk76ni3DuAOTFbXkO/14:yhC9QOp06izuHTFb0O94
Score

10^/10

monster discovery stealer exelastealer collection defense_evasion persistence privilege_escalation spyware
- Detects Monster Stealer.
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Exelastealer family
  exelastealer
- Monster
  Monster is a Golang stealer that was discovered in 2024.
  stealer monster
- Monster family
  monster
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  Bltools 2.9.1[PRO]/CookiesCreator v1.2.exe
- Size
  
  3.3MB
- MD5
  
  30c33f45545b68bd1e0d7ec79a090883
- SHA1
  
  086e1fadee4a61091250dedb616785c73b50950c
- SHA256
  
  4e95226cce6e17fdc39f3a5f9050720d7848bb34ce2df72e63c878235c5be630
- SHA512
  
  d76e6d64147d185a07b819cc9fe26daa1c1ae72af6a01b5467ae0b7f07239a8c0edc0c9066fff22c08241025909b492af9cc1f4e3d0eb136a54ee3b7a0d5a6f4
- SSDEEP
  
  49152:14AQHxRXGKijAKG+TAdrdBpNIty0YwIs349UnzIYua0+v8li9IiFqVsf/z452nZ5:1lAnrVKGNhdBEIs3IuUw085qKf/z45
Score

9^/10

defense_evasion discovery themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5 behavioral6
- Target
  
  Bltools 2.9.1[PRO]/Extreme.Net.dll
- Size
  
  121KB
- MD5
  
  f79f0e3a0361cac000e2d3553753cd68
- SHA1
  
  4314bcef76fddc9379a8f3a266b37d685d0adb79
- SHA256
  
  8a6518ab7419fbec3ac9875baa3afb410ad1398c7aa622a09cd9084ec6cadfcd
- SHA512
  
  c77516e7f5540ecd13fa5d8cecfce34629acecd9b5a445f5f48902c9e823328fa9a6694ecaa39f5b6053de61c2b850c2d87df25357548afaad6ec37eb3e5e355
- SSDEEP
  
  3072:bdoECIgjBibgp2tBqL0Y++ruXqMG4ih3lbpMqc:bdoECIgUrG
Score

1^/10
behavioral7 behavioral8
- Target
  
  Bltools 2.9.1[PRO]/License.dll
- Size
  
  11B
- MD5
  
  d76bf73f3d3768a4589e72a7b2b83088
- SHA1
  
  9e6d246ddb9ae2438fcc1d12534e54c84bc38382
- SHA256
  
  eaab53f4b23c3cc9e3c9d4d5d4689438146519e69c7063f4f15b0a43dd861f7b
- SHA512
  
  519e9210e9d751a524cf49ceff2e7ddd096f679760a0807d9ee6a3f0870d418336d5004bfd54b94a749f17f3ba85dc404d2cc700fdb3bee1610aba727d428eaf
Score

1^/10
behavioral10 behavioral9
- Target
  
  Bltools 2.9.1[PRO]/MaterialDesignColors.dll
- Size
  
  295KB
- MD5
  
  5c108c4da6d03f0fa2c3b4dc7890cb52
- SHA1
  
  48af67b6166068b6f138306bbd1157c7583c6e73
- SHA256
  
  b5ec30c93b1d2b4631ee2b178750ec92e302e2e331090ec9783981b9572354f8
- SHA512
  
  48d055610eead361809bd839c66ccdca1d5e0d9dffe15af9d15afa106ee7791c8b17acb91f2aba5cf3dda2997b049bcf70b43c3b56b8b01f1fc7bb845ce6c91b
- SSDEEP
  
  1536:wr1In+fq1fDfDemxD0EsXpGX0EOAcTtU7fKoVxbzQcV:G1WB1PerAjOAj7fKoVxb1V
Score

1^/10
behavioral11 behavioral12
- Target
  
  Bltools 2.9.1[PRO]/MaterialDesignThemes.Wpf.dll
- Size
  
  9.1MB
- MD5
  
  824cbf63999f954aa1747f79586a4d3c
- SHA1
  
  5f1cd6346a45024bbbe09e304c12b6f6bf227d5c
- SHA256
  
  344e2cee979e979932f504dc76bd75e97ae1ff46caa3fe2795adfe0a866347f7
- SHA512
  
  d36149f7cb5ffc62dac6bb4521105d09fac988de567e181fdca4f23e5079aca5f4292e1d314f797f1a597263ddac0210060cb71c111565717e3a288a47770c51
- SSDEEP
  
  98304:PW8EOPXJDntBksKY+ND3WyA4+TLVei10vMzPv8/4C8B5XVS49Xzy83IiEcJMrCRM:PW8lnJ45/9iD54+V11bFv4z
Score

1^/10
behavioral13 behavioral14
- Target
  
  Bltools 2.9.1[PRO]/Microsoft.Xaml.Behaviors.dll
- Size
  
  142KB
- MD5
  
  95f46f34c099421d917d5feadbb33edb
- SHA1
  
  3d1cb9cf59000012734901a35baeb3d9c1dd5db3
- SHA256
  
  8e77a1dd5e2df4d4af801376cc3428b082eb49fcb6e647b933967fae12ad9d5d
- SHA512
  
  c9c9f72980316c68ad2a8dbe2c6c563c0deddfc9e845674d0e2f5313a0ae285d60a755e2ca04164f78b37a36521259307b3eb7d43f5ec9a9de5507bda7e4c1b8
- SSDEEP
  
  3072:lN+EM1X0WlL9JAn11M1dXcGkOsizI35rCj8SIP:v+ll79in1h6
Score

1^/10
behavioral15 behavioral16
- Target
  
  Bltools 2.9.1[PRO]/Ookii.Dialogs.Wpf.dll
- Size
  
  103KB
- MD5
  
  932ebb3f9e7113071c6a17818342b7cc
- SHA1
  
  9ce2d08bc3840632092325abcc8d842eeb8189d4
- SHA256
  
  285aa8225732ddbcf211b1158bd6cff8bf3acbeeab69617f4be85862b7105ab5
- SHA512
  
  6b6086cff7b916c0c4536e3c7cba4ba17d6c4be2e4a88a5877be852e197f1f9c9c120d1295acf2b4277a9badd8cfd229ef3c1ab2049d0aeec22d3033be156141
- SSDEEP
  
  1536:qgoPBGuyAy52V+gtTLq6ZUc68h8O0SB/XBboIawHUPV5bKLh8sm6b0gl:qgwBGu2IV+ghd68WOxXBbx+5of
Score

1^/10
behavioral17 behavioral18