exelastealer | 37f387d9d653f5bbb85a74ac4294558b12b4698a5f9925b5e92bbe3af91cd68b

Sharing

General

Target

checker.zip
Size

47.7MB
Sample

250323-wr28aatn17
MD5

9fa3a8aa25180a3d5867b839dc4adbf1
SHA1

118a61470cff7e80d99312b5c7c683ff570c628f
SHA256

37f387d9d653f5bbb85a74ac4294558b12b4698a5f9925b5e92bbe3af91cd68b
SHA512

c32db70e36a05bdee1a9d08974401cec8f7b4e23628f0ca43870e8d7130cbc455688ccb4568db9e2812b5cd727818ae0736501f0de97049f121428c7615ca76b
SSDEEP

786432:PVgAqysfLT98mNC2UPWLFVzS/tD1Pz0W0J8vh8HkkEZzvwi7vlH9or2lxnGewBO0:2pysfl8sUQFVMP4W0AhEkZzZ79HKr2l4

Score

10^/10

Malware Config

Extracted

Family

xworm

127.0.0.1:4139

Attributes

install_file
USB.exe

Targets

- Target
  
  checker/checker/LICENSE
- Size
  
  1KB
- MD5
  
  0e00d3e24b9c14361510acde7d728d92
- SHA1
  
  67f0d8b3aeaf54fd0dcbf4016f84c792bba8163a
- SHA256
  
  e799abee6388d8bd5b85859f630c3c2c70c389f5cf9983c75cdd71cf3c958445
- SHA512
  
  4215374167dbac5fa42bfbfaaaf40cd1e70b22fed6043d936c6f34ccc236360a98185e246806e9753e3780029df7d54610a675d055cd49eb0b2a53f457340df7
Score

1^/10
behavioral1 behavioral2 behavioral3
- Target
  
  checker/checker/discordWebhook.txt
- Size
  
  160B
- MD5
  
  42aac867ad5b877d22cb73531bfd3cc7
- SHA1
  
  158b0c7b7561a99afca302d0dd2e7318e2fdfb31
- SHA256
  
  102be433d3b8803480276be56fbfab1c3c205d4077a1dc1af367a94102b68e4e
- SHA512
  
  ef2f44f7b77e0f9cf88b1c55e18fb2aa59bd8f08bc79e89d04fb52d6245e10a3d22651d7c52b5ccc86a96260b9d47ee78122e237b50204954acf2fbe8276e52e
Score

1^/10
behavioral4 behavioral5 behavioral6
- Target
  
  checker/checker/gen.py
- Size
  
  941B
- MD5
  
  ea5c4fb08e02528236bae46b09401c28
- SHA1
  
  a08f1ac11fdddfcfb2d88f42b71d46d80cbb1498
- SHA256
  
  b43fa03d93f00915d966608576135a96aa165043e2fc5270faa0ec3366096956
- SHA512
  
  497658d7fc907829aae61cf59a6b916960f3ad277ae20854aba48dbdcdec04ccb9db4d08dfb13dc5975e8db2cd0093b77bee16d79d27594c6c6ac9bef4f4b93b
Score

3^/10
behavioral7 behavioral8 behavioral9
- Target
  
  checker/checker/generator4l.exe
- Size
  
  9.1MB
- MD5
  
  435b6a39485acf524aedef5ceb85f435
- SHA1
  
  8110a9e1c8143ed8076c734c1e94d3657afba215
- SHA256
  
  610a13a7a760cd81ac391350ac055281b343a2649271beb2f7b8f4a6f32df1ed
- SHA512
  
  7333692e5676c5706f93d9afa8bd7d9930d6805688387e6e23ad680d69e63f074fe7508b47a9ebe5378547b78c369d0574853ba13ca68fee7a9774c4b80983fd
- SSDEEP
  
  196608:Ipgo28iTRZq7p+mLM5nxf8tgIfj5PmlSisMa86ZxG7II6pG9:Ipgo284UpOnxUuIfj5wC86Zx2MG
Score

10^/10

xworm pyinstaller rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral10 behavioral11 behavioral12
- Target
  
  checker/checker/setup.exe
- Size
  
  38.7MB
- MD5
  
  649a8a400b04fe09604c899cba87d3bd
- SHA1
  
  8904ca358b5e691d621d008da7dc096a60670982
- SHA256
  
  fc51275b58e49d509c01a2a8cdb8367494819e5be0b752590361de0a6473a162
- SHA512
  
  6c5b4a39a9ea76111ac2086d861bac6b4f9cfda78b84db8bfffc8852d5172b859653e5cf5e1b0d3f06166a4fd9dd302111d7030d2286a6ff577748fc538393af
- SSDEEP
  
  786432:1YeImzBvaNZl7XtSscty1JqJGooHvZQaZbRbhC5MnVWyHMOvOT:1YCzBsXEscGJmkHvhZ1b05MnV5bm
Score

10^/10

exelastealer collection defense_evasion discovery persistence privilege_escalation spyware stealer
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Exelastealer family
  exelastealer
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  defense_evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral13 behavioral14 behavioral15
- Target
  
  checker/checker/wordlist.txt
- Size
  
  696B
- MD5
  
  3e9250ff57f51f13ca9829d0015cd663
- SHA1
  
  82769cf8ecb89ead819d84ac02bb51615f58e229
- SHA256
  
  4ae599fad0a67de6815107fcb0f496cd39bf42f2c32d03801c0a9b73d4312aea
- SHA512
  
  2fbe41c5200a32a1b3110c122001ea94dfc8589b62e69d6707e74070797efd38c1aa35491f8d7c19d10f4843135ae31e48ebe05419b7fc66f14ff9ea03807fb0
Score

1^/10
behavioral16 behavioral17 behavioral18