MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b9dd8506f14373dc169b477fb7ee60512fdea77e7e666ba7120c39bfdfd2703. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ExelaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b9dd8506f14373dc169b477fb7ee60512fdea77e7e666ba7120c39bfdfd2703
SHA3-384 hash: e9dbf776a1b5d3c33484f8b9e23ef98c892311f9b6adf3b93b6eac0a65ba7fa0cf1cc2653b9a0427a662fcebd781965a
SHA1 hash: 0488ab18141ab8e13af4250d242298a381d62dbb
MD5 hash: f2312dd34a1e8ecdae24ac0386cc6725
humanhash: enemy-august-pip-crazy
File name:dos.exe
Download: download sample
Signature ExelaStealer
Create hunting rule
File size:14'732'687 bytes
First seen:2025-05-08 19:46:45 UTC
Last seen:2025-05-09 07:37:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 965e162fe6366ee377aa9bc80bdd5c65 (44 x BlankGrabber, 9 x Efimer, 7 x PythonStealer)
ssdeep 393216:gnQuF4XXXm2JtWNhqKVv/uCurXVmeiYpCPTShGJ:gZd2JtEhqKVvWCyVfpCPTxJ
TLSH T1D7E6333C26E914E7F0F6CB39986284E1C6D6AE461B1BD683D3BCF0AA2C335C16572355
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 64646c6c6c646c0d (3 x ExelaStealer, 3 x Babadeda, 1 x EternityStealer)
Reporter skocherhan
Tags:exe ExelaStealer gitlab-com-project-69565380


Avatar
skocherhan
https://gitlab.com/-/project/69565380/uploads/0f91e425c6a9b9b1518381df4c82ae4d/dos.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
628
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dos.exe
Verdict:
Malicious activity
Analysis date:
2025-05-08 19:49:06 UTC
Tags:
python exela stealer evasion screenshot discord github pyinstaller susp-powershell ims-api generic growtopia discordgrabber rust
Link:
https://app.any.run/tasks/3dc3b03b-bc6f-4637-a617-27ad9fdf09e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Python.Packed.104.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681d0b0091991ead82b64c18
Tags:
vmdetect
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Connection attempt
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Changing a file
Reading critical registry keys
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the process to change network settings
Launching a tool to kill processes
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay overlay packed packer_detected
Link:
https://www.filescan.io/uploads/681d0a3d0b64e174c41e687d/reports/1e6461ba-4570-48bb-b73a-dccf5e46f707/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5b9dd8506f14373dc169b477fb7ee60512fdea77e7e666ba7120c39bfdfd2703
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ece670b5-7b64-4ced-9280-fe62bec3886d
Result
Threat name:
Python Stealer, Exela Stealer, Waltuhium
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1684817
Signature
Detected generic credential text file
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Gathers network related connection and port information
Joe Sandbox ML detected suspicious sample
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites the password of the administrator account
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Yara detected Exela Stealer
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Yara detected Python Stealer
Yara detected Waltuhium Grabber
Yara detected WIFI Password Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1684817 Sample: dos.exe Startdate: 08/05/2025 Architecture: WINDOWS Score: 100 81 store1.gofile.io 2->81 83 raw.githubusercontent.com 2->83 85 3 other IPs or domains 2->85 101 Suricata IDS alerts for network traffic 2->101 103 Sigma detected: Capture Wi-Fi password 2->103 105 Multi AV Scanner detection for dropped file 2->105 107 10 other signatures 2->107 10 dos.exe 75 2->10         started        signatures3 process4 file5 65 C:\Users\...\_quoting_c.cp313-win_amd64.pyd, PE32+ 10->65 dropped 67 C:\Users\user\AppData\...\win32evtlog.pyd, PE32+ 10->67 dropped 69 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 10->69 dropped 71 35 other files (none is malicious) 10->71 dropped 119 Modifies the windows firewall 10->119 121 Found pyInstaller with non standard icon 10->121 123 Gathers network related connection and port information 10->123 14 dos.exe 80 10->14         started        signatures6 process7 dnsIp8 87 ip-api.com 208.95.112.1, 49734, 80 TUT-ASUS United States 14->87 89 raw.githubusercontent.com 185.199.108.133, 443, 49739 FASTLYUS Netherlands 14->89 91 4 other IPs or domains 14->91 73 C:\Users\user\AppData\Local\...\Waltuhium.exe, PE32+ 14->73 dropped 75 C:\Users\user\AppData\...\places.sqlite-shm, data 14->75 dropped 77 C:\Users\user\AppData\...\cookies.sqlite-shm, data 14->77 dropped 79 8 other malicious files 14->79 dropped 93 Found many strings related to Crypto-Wallets (likely being stolen) 14->93 95 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->95 97 Tries to harvest and steal browser information (history, passwords, etc) 14->97 99 4 other signatures 14->99 19 cmd.exe 1 14->19         started        22 cmd.exe 14->22         started        24 cmd.exe 1 14->24         started        26 14 other processes 14->26 file9 signatures10 process11 signatures12 109 Uses netsh to modify the Windows network and firewall settings 19->109 111 Uses ipconfig to lookup or modify the Windows network settings 19->111 113 Tries to harvest and steal WLAN passwords 19->113 115 Uses attrib.exe to hide files 19->115 28 conhost.exe 19->28         started        117 Overwrites the password of the administrator account 22->117 30 systeminfo.exe 22->30         started        33 net.exe 22->33         started        35 net.exe 22->35         started        43 11 other processes 22->43 37 WMIC.exe 1 24->37         started        39 conhost.exe 24->39         started        41 cmd.exe 26->41         started        45 26 other processes 26->45 process13 signatures14 125 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 30->125 47 WmiPrvSE.exe 30->47         started        127 Overwrites the password of the administrator account 33->127 49 net1.exe 33->49         started        51 net1.exe 35->51         started        129 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 37->129 131 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 37->131 53 chcp.com 41->53         started        55 quser.exe 43->55         started        57 net1.exe 43->57         started        59 net1.exe 43->59         started        61 net1.exe 43->61         started        63 chcp.com 45->63         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b9dd8506f14373dc169b477fb7ee60512fdea77e7e666ba7120c39bfdfd2703/
Threat name:
Win64.Trojan.Yomal
Create hunting rule
Status:
Malicious
First seen:
2025-05-07 08:39:18 UTC
File Type:
PE+ (Exe)
Extracted files:
795
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=loo5qudpcq3t3qljwr37w7xgaujp32tx47tgnotredbzx7p5e4bq._file
Result
Malware family:
exelastealer
Create hunting rule
Score:
  10/10
Tags:
family:exelastealer collection defense_evasion discovery persistence privilege_escalation pyinstaller spyware stealer
Link:
https://tria.ge/reports/250508-yhkmzsxmt4/
Behaviour
Collects information from the system
Detects videocard installed
Gathers network information
Gathers system information
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
System Network Connections Discovery
Launches sc.exe
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Network Service Discovery
Clipboard Data
Loads dropped DLL
Reads user/profile data of web browsers
Modifies Windows Firewall
Grants admin privileges
Exela Stealer
Exelastealer family
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/30fe91a0-b144-442e-b171-11e9376cd91b
Unpacked files
SH256 hash:
5b9dd8506f14373dc169b477fb7ee60512fdea77e7e666ba7120c39bfdfd2703
MD5 hash:
f2312dd34a1e8ecdae24ac0386cc6725
SHA1 hash:
0488ab18141ab8e13af4250d242298a381d62dbb
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
MD5 hash:
8d4805f0651186046c48d3e2356623db
SHA1 hash:
18c27c000384418abcf9c88a72f3d55d83beda91
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
MD5 hash:
32da96115c9d783a0769312c0482a62d
SHA1 hash:
2ea840a5faa87a2fe8d7e5cb4367f2418077d66b
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
441363c5b15394ca4b117200800722d48042c04407d03aac0d1a0a967b7c68e4
MD5 hash:
090f55321224c4bb65d9b9d99045ac89
SHA1 hash:
e28591421fa4464ed4b31e31f66b6dd6db051c84
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
6a99bc0128e0c7d6cbbf615fcc26909565e17d4ca3451b97f8987f9c6acbc6c8
MD5 hash:
c0c0b4c611561f94798b62eb43097722
SHA1 hash:
523f515eed3af6d50e57a3eaeb906f4ccc1865fe
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
81f54104925dd951e8fac62468cf7e2cf7d5c35d9c977ec32073a0a7a5ce7770
MD5 hash:
1dcb9beea03e32ef4420c1197284d001
SHA1 hash:
f476cfdbbe81aca788b1d28244593db7c5dcb536
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
90ba935a0145ee9ae56267a365cc0088d34fa506b7afeb2bd1bd78cd33359605
MD5 hash:
7b4bd20267c93e35c49c32aad05b6b15
SHA1 hash:
860a10d04c8764f540ed34cf08e06f32b7b37611
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
a3fa8f872d9021b4fa96addbe4546bffa8c61684ec25642061d649348070d68a
MD5 hash:
f9548ef0a569b825d41db0dc8b9d009d
SHA1 hash:
9bb1870e411a11136ad8764fc2e90ee13778f194
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
a475a7c9dfbe74878b86e223437caecf0f203d8ce7abe061c348d06f2a6614f5
MD5 hash:
d995c6a43583e65e9cfaeaf9cd998185
SHA1 hash:
376586f76511344ac6c41843141b228f53288265
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
b1b1bb33af9cc14749936b1f6bac36b2ffc494ec1a5fb8b12fc9180a6454f545
MD5 hash:
747fc8b90e33f5e9048bcf26788b9169
SHA1 hash:
ac30aae15bea0514c7730b007b68dd841a7f3ddc
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7
MD5 hash:
ae5b2e9a3410839b31938f24b6fc5cd8
SHA1 hash:
9f9a14efc15c904f408a0d364d55a144427e4949
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
MD5 hash:
0f8e4992ca92baaf54cc0b43aaccce21
SHA1 hash:
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
SH256 hash:
fdd54b6c495e9278e73d68203fff0c300e416e704852908cf5b06666cffead51
MD5 hash:
d6dfb6a9518a57e180980f7a07098d7d
SHA1 hash:
6026120461f5cbcd9255670b6a906fd8f5329073
Link:
https://www.unpac.me/results/6585eaa7-6a00-46b9-aa89-66210790de04/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b9dd8506f14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b9dd8506f14373dc169b477fb7ee60512fdea77e7e666ba7120c39bfdfd2703

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ExelaStealer

Shortcut (lnk) lnk a539275d837cf5501e0d98abce56f16ca8f97c9d06662162278c0dffb783d7de

ExelaStealer

Executable exe 5b9dd8506f14373dc169b477fb7ee60512fdea77e7e666ba7120c39bfdfd2703

(this sample)

  
Dropped by
MD5 a6bbbc0fa1d897a9c5838f8cc0de53e1
  
Dropped by
SHA256 a539275d837cf5501e0d98abce56f16ca8f97c9d06662162278c0dffb783d7de
  
URLhaus
https://urlhaus.abuse.ch/url/3539458/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments