MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93b842ea63d8c2ca4ea2e8a59df0f872f61dcf591691fe2a7e80cf17bfa4a46a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ExelaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93b842ea63d8c2ca4ea2e8a59df0f872f61dcf591691fe2a7e80cf17bfa4a46a
SHA3-384 hash: 2f1dbcf2ff3fd85a9f96abaed1c61cd9ecbc04239fff71b6d84fc7e68dbf055fb5eb6dafceb7de8974e84e1f258228e2
SHA1 hash: 9b41277051d401d44b6dc74ee033139118fec565
MD5 hash: 00013dc35a7c68f8a7ef6e01b8ac90c8
humanhash: december-fish-cup-whiskey
File name:pk.exe
Download: download sample
Signature ExelaStealer
Create hunting rule
File size:14'730'935 bytes
First seen:2025-05-09 07:39:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 965e162fe6366ee377aa9bc80bdd5c65 (44 x BlankGrabber, 9 x Efimer, 7 x PythonStealer)
ssdeep 393216:mQuFU2JtWNhqKVv/uCurXVmeiYpCPTShGJ:EU2JtEhqKVvWCyVfpCPTxJ
TLSH T195E6333C26E514E7F0E6CB39A96194E5C2D5AE461B1BD243D3BCF0BA2C339C1653634A
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 64646c6c6c646c0d (3 x ExelaStealer, 3 x Babadeda, 1 x EternityStealer)
Reporter JAMESWT_WT
Tags:exe ExelaStealer gitlab-com-project-69565380

Intelligence

File Origin
# of uploads :
1
# of downloads :
459
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
56750876575851f1a5c0b58fe8cd78c21d6e8ceae0dc9af9946ea6ace79d5b48
Verdict:
Malicious activity
Analysis date:
2025-05-09 07:43:03 UTC
Tags:
python exela stealer evasion susp-powershell discord github screenshot
Link:
https://app.any.run/tasks/02eeae97-5810-4f83-a1e4-353d95e8ed2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Python.Packed.104.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681db2606c95617a27b6341b
Tags:
obfuscate xtreme sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Connection attempt
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Searching for the window
Changing a file
Reading critical registry keys
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the process to change network settings
Launching the process to interact with network services
Launching a tool to kill processes
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay overlay packed packer_detected
Link:
https://www.filescan.io/uploads/681db169d95f3e34e964eccf/reports/c489aa5b-1139-47f9-9bd4-f98ab11b5a51/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/93b842ea63d8c2ca4ea2e8a59df0f872f61dcf591691fe2a7e80cf17bfa4a46a
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/58567c2b-5398-4758-9ab4-b35d1d822724
Result
Threat name:
Python Stealer, Exela Stealer, Waltuhium
Create hunting rule
Detection:
malicious
Classification:
rans.spre.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1685146
Signature
Bypasses PowerShell execution policy
Detected generic credential text file
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Gathers network related connection and port information
Joe Sandbox ML detected suspicious sample
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites the password of the administrator account
Performs a network lookup / discovery via ARP
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Yara detected Exela Stealer
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Yara detected Python Stealer
Yara detected Waltuhium Grabber
Yara detected WIFI Password Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1685146 Sample: pk.exe Startdate: 09/05/2025 Architecture: WINDOWS Score: 100 81 store1.gofile.io 2->81 83 shed.dual-low.s-part-0041.t-0009.t-msedge.net 2->83 85 7 other IPs or domains 2->85 101 Suricata IDS alerts for network traffic 2->101 103 Sigma detected: Capture Wi-Fi password 2->103 105 Multi AV Scanner detection for dropped file 2->105 107 11 other signatures 2->107 10 pk.exe 75 2->10         started        signatures3 process4 file5 65 C:\Users\...\_quoting_c.cp313-win_amd64.pyd, PE32+ 10->65 dropped 67 C:\Users\user\AppData\...\win32evtlog.pyd, PE32+ 10->67 dropped 69 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 10->69 dropped 71 35 other files (none is malicious) 10->71 dropped 125 Modifies the windows firewall 10->125 127 Tries to harvest and steal WLAN passwords 10->127 129 Found pyInstaller with non standard icon 10->129 131 Gathers network related connection and port information 10->131 14 pk.exe 107 10->14         started        signatures6 process7 dnsIp8 87 ip-api.com 208.95.112.1, 49693, 80 TUT-ASUS United States 14->87 89 raw.githubusercontent.com 185.199.110.133, 443, 49709 FASTLYUS Netherlands 14->89 91 4 other IPs or domains 14->91 73 C:\Users\user\AppData\Local\...\Waltuhium.exe, PE32+ 14->73 dropped 75 C:\Users\user\AppData\...\places.sqlite-shm, data 14->75 dropped 77 C:\Users\user\AppData\...\cookies.sqlite-shm, data 14->77 dropped 79 8 other malicious files 14->79 dropped 93 Found many strings related to Crypto-Wallets (likely being stolen) 14->93 95 Uses cmd line tools excessively to alter registry or file data 14->95 97 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->97 99 4 other signatures 14->99 19 cmd.exe 1 14->19         started        22 cmd.exe 14->22         started        24 cmd.exe 1 14->24         started        26 16 other processes 14->26 file9 signatures10 process11 signatures12 109 Uses cmd line tools excessively to alter registry or file data 19->109 111 Encrypted powershell cmdline option found 19->111 113 Bypasses PowerShell execution policy 19->113 123 4 other signatures 19->123 28 conhost.exe 19->28         started        115 Overwrites the password of the administrator account 22->115 117 Gathers network related connection and port information 22->117 119 Performs a network lookup / discovery via ARP 22->119 30 systeminfo.exe 22->30         started        33 net.exe 22->33         started        35 net.exe 22->35         started        43 16 other processes 22->43 37 WMIC.exe 1 24->37         started        39 conhost.exe 24->39         started        121 Tries to harvest and steal WLAN passwords 26->121 41 cmd.exe 26->41         started        45 29 other processes 26->45 process13 signatures14 133 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 30->133 47 WmiPrvSE.exe 30->47         started        135 Overwrites the password of the administrator account 33->135 49 net1.exe 33->49         started        51 net1.exe 35->51         started        137 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 37->137 139 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 37->139 53 chcp.com 41->53         started        55 quser.exe 43->55         started        57 net1.exe 43->57         started        59 net1.exe 43->59         started        61 net1.exe 43->61         started        63 chcp.com 45->63         started        process15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/93b842ea63d8c2ca4ea2e8a59df0f872f61dcf591691fe2a7e80cf17bfa4a46a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93b842ea63d8c2ca4ea2e8a59df0f872f61dcf591691fe2a7e80cf17bfa4a46a/
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-09 07:39:07 UTC
File Type:
PE+ (Exe)
Extracted files:
795
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=so4ef2td3dbmutvc5csz34hyol3b3t2zc2i74kt6qdhrpp5eurva._file
Result
Malware family:
exelastealer
Create hunting rule
Score:
  10/10
Tags:
family:exelastealer collection defense_evasion discovery persistence privilege_escalation pyinstaller spyware stealer
Link:
https://tria.ge/reports/250509-jhn8vabl7v/
Behaviour
Collects information from the system
Detects videocard installed
Gathers network information
Gathers system information
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
System Network Connections Discovery
Launches sc.exe
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Network Service Discovery
Clipboard Data
Loads dropped DLL
Reads user/profile data of web browsers
Modifies Windows Firewall
Grants admin privileges
Exela Stealer
Exelastealer family
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/68286cae-a9ad-4744-8aff-ebf1d733ad5e
Unpacked files
SH256 hash:
007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
MD5 hash:
8d4805f0651186046c48d3e2356623db
SHA1 hash:
18c27c000384418abcf9c88a72f3d55d83beda91
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
MD5 hash:
32da96115c9d783a0769312c0482a62d
SHA1 hash:
2ea840a5faa87a2fe8d7e5cb4367f2418077d66b
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
441363c5b15394ca4b117200800722d48042c04407d03aac0d1a0a967b7c68e4
MD5 hash:
090f55321224c4bb65d9b9d99045ac89
SHA1 hash:
e28591421fa4464ed4b31e31f66b6dd6db051c84
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
6a99bc0128e0c7d6cbbf615fcc26909565e17d4ca3451b97f8987f9c6acbc6c8
MD5 hash:
c0c0b4c611561f94798b62eb43097722
SHA1 hash:
523f515eed3af6d50e57a3eaeb906f4ccc1865fe
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
81f54104925dd951e8fac62468cf7e2cf7d5c35d9c977ec32073a0a7a5ce7770
MD5 hash:
1dcb9beea03e32ef4420c1197284d001
SHA1 hash:
f476cfdbbe81aca788b1d28244593db7c5dcb536
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
90ba935a0145ee9ae56267a365cc0088d34fa506b7afeb2bd1bd78cd33359605
MD5 hash:
7b4bd20267c93e35c49c32aad05b6b15
SHA1 hash:
860a10d04c8764f540ed34cf08e06f32b7b37611
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
a3fa8f872d9021b4fa96addbe4546bffa8c61684ec25642061d649348070d68a
MD5 hash:
f9548ef0a569b825d41db0dc8b9d009d
SHA1 hash:
9bb1870e411a11136ad8764fc2e90ee13778f194
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
a475a7c9dfbe74878b86e223437caecf0f203d8ce7abe061c348d06f2a6614f5
MD5 hash:
d995c6a43583e65e9cfaeaf9cd998185
SHA1 hash:
376586f76511344ac6c41843141b228f53288265
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
b1b1bb33af9cc14749936b1f6bac36b2ffc494ec1a5fb8b12fc9180a6454f545
MD5 hash:
747fc8b90e33f5e9048bcf26788b9169
SHA1 hash:
ac30aae15bea0514c7730b007b68dd841a7f3ddc
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7
MD5 hash:
ae5b2e9a3410839b31938f24b6fc5cd8
SHA1 hash:
9f9a14efc15c904f408a0d364d55a144427e4949
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
MD5 hash:
0f8e4992ca92baaf54cc0b43aaccce21
SHA1 hash:
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
fdd54b6c495e9278e73d68203fff0c300e416e704852908cf5b06666cffead51
MD5 hash:
d6dfb6a9518a57e180980f7a07098d7d
SHA1 hash:
6026120461f5cbcd9255670b6a906fd8f5329073
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
SH256 hash:
93b842ea63d8c2ca4ea2e8a59df0f872f61dcf591691fe2a7e80cf17bfa4a46a
MD5 hash:
00013dc35a7c68f8a7ef6e01b8ac90c8
SHA1 hash:
9b41277051d401d44b6dc74ee033139118fec565
Link:
https://www.unpac.me/results/afe2caf4-4594-42e0-b5a1-a2486e7ecc22/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/93b842ea63d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93b842ea63d8c2ca4ea2e8a59df0f872f61dcf591691fe2a7e80cf17bfa4a46a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ExelaStealer

Executable exe 93b842ea63d8c2ca4ea2e8a59df0f872f61dcf591691fe2a7e80cf17bfa4a46a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3539459/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments