MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ExelaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64
SHA3-384 hash: 815d475c02e58048a4ba1463105049564431cdccc16cb33154114f4cf6060354e5342ece826f3bdf5662a4187c18b72f
SHA1 hash: 3f27e8d2ba7abf435c2056da7fc435081b461a08
MD5 hash: 66d48388a031b9cfbce19c6ac6fd3d71
humanhash: angel-charlie-december-beryllium
File name:08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64
Download: download sample
Signature ExelaStealer
Create hunting rule
File size:49'440'229 bytes
First seen:2024-09-17 14:44:43 UTC
Last seen:2024-09-17 15:42:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 786432:NiEwzN8Wa35zYTIRaZD5G/p5H72RiL5WmVvz2a3yHoRYxCDDEHTCn2jM77b/BQc5:NXwzeWaJzYTXdsp5H72q5WW2hIR9sCn5
TLSH T15EB73334BE34595DF878FDF4B89EE0D29E244406C1B10D684E26C399F59B4E0BFA426B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter JAMESWT_WT
Tags:96-9-226-111 exe ExelaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
443
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://bulletenergyllc.homes/deejay/
Verdict:
Malicious activity
Analysis date:
2024-09-17 07:56:03 UTC
Tags:
opendir exploit loader exela stealer evasion python pyinstaller susp-powershell ims-api generic discordgrabber growtopia upx discord
Link:
https://app.any.run/tasks/61b941ae-b72d-4ae5-a806-2686f5eb52fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e995f75d6a2b58599a952b
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66e995fb3d94125307285314/reports/60238374-ef8d-45d8-8285-c93289c6efb6/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
suspicious
Classification:
troj
Score:
30 / 100
Link:
https://www.joesandbox.com/analysis/1512627
Signature
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1512627 Sample: bVYIHEnh5P.exe Startdate: 17/09/2024 Architecture: WINDOWS Score: 30 34 quickpresentationdoc.xyz 2->34 8 bVYIHEnh5P.exe 11 199 2->8         started        11 github.exe 4 2->11         started        signatures3 38 Performs DNS queries to domains with low reputation 34->38 process4 dnsIp5 26 C:\Users\user\AppData\Local\...\installer.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->30 dropped 32 25 other files (none is malicious) 8->32 dropped 14 cmd.exe 1 8->14         started        36 quickpresentationdoc.xyz 198.54.115.119, 443, 49710 NAMECHEAP-NETUS United States 11->36 16 github.exe 1 11->16         started        18 github.exe 1 11->18         started        file6 process7 process8 20 conhost.exe 14->20         started        22 tasklist.exe 1 14->22         started        24 find.exe 1 14->24         started       
Score:
6%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bcsj4yumwompfpeqfye3w2wufp6jptqjvsqkuoxdlgqx47cdfnsa._file
Verdict:
unknown
Result
Malware family:
exelastealer
Create hunting rule
Score:
  10/10
Tags:
family:exelastealer collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/240917-r4qmssydjb/
Behaviour
Collects information from the system
Gathers network information
Gathers system information
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
System Network Connections Discovery
Launches sc.exe
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Checks installed software on the system
Looks up external IP address via web service
Network Service Discovery
Clipboard Data
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Modifies Windows Firewall
Credentials from Password Stores: Credentials from Web Browsers
Grants admin privileges
Exela Stealer
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1e8b357b-aade-40fd-87ce-df5a9038b551
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08a49e628cb398f2bc902e09bb6ad42bfc97ce09aca0aa3ae359a17e7c432b64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments