File name:	Exela.exe
Full analysis:	https://app.any.run/tasks/80a2ace9-a768-485d-84b3-25c192db0906
Verdict:	Malicious activity
Threats:	Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 20, 2024, 19:42:07
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion exela stealer pyinstaller susp-powershell ims-api generic discord growtopia discordgrabber upx python
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	57A2DC05065B6C5BD7A16287574B44DD
SHA1:	D0D6EA49375492259A5C7B00E1D52B37D9DCD704
SHA256:	548B6D77905BFB2217782A2EA99E8E55DC2DEDDB94AF1C43E79A33161328DB26
SSDEEP:	98304:t6CRRm8ziKqhBYukWPK8YutPrCpEJg4ESq/NCz0kKBWGJMDV+ly+/9F8BZ6GHgBP:PwaX44a1I8aqVjF6v/2

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:09:20 15:48:24+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xcdb0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.746
ProductVersionNumber:	10.0.19041.746
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Exela Services
FileVersion:	10.0.19041.746 (WinBuild.160101.0800)
InternalName:	Exela.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	Exela.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.746


(PID) Process:	(7004) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31132565
(PID) Process:	(7004) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:

PID	Process	Filename		Type
6616	Exela.exe	C:\Users\admin\AppData\Local\Temp\_MEI66162\_cffi_backend.cp312-win_amd64.pyd		executable
		MD5:27004B1F01511FD6743EE5535DE8F570	SHA256:D2D3E9D9E5855A003E3D8C7502A9814191CF2B77B99BA67777AC170440DFDCCF
6616	Exela.exe	C:\Users\admin\AppData\Local\Temp\_MEI66162\_queue.pyd		executable
		MD5:51C7B2CA2871FA9D4A948F2ABD22DE05	SHA256:36EC2EF3F553257912E3E3D17706920C1A52C3619D5C7B157C386C1DBE6E3F52
6616	Exela.exe	C:\Users\admin\AppData\Local\Temp\_MEI66162\_bz2.pyd		executable
		MD5:C9F84CBFFF18BF88923802116A013AA0	SHA256:5F33CD309AE6F049A4D8C2B6B2A8CD5ADE5E8886408ED2B81719E686B68B7D13
6616	Exela.exe	C:\Users\admin\AppData\Local\Temp\_MEI66162\_sqlite3.pyd		executable
		MD5:337889448ECD97A305A96CF61F1B84B9	SHA256:A35A017EE1C003290F4850B4C3D7140F5F0DF98D2178BF67923A610AEE1679BE
6616	Exela.exe	C:\Users\admin\AppData\Local\Temp\_MEI66162\_lzma.pyd		executable
		MD5:96E99C539E2CB0683B148DA367CE4389	SHA256:72A7D452B3A164195B4A09B85A8E33AD4E6B658C10396B1A313E61DA8F814304
6616	Exela.exe	C:\Users\admin\AppData\Local\Temp\_MEI66162\aiohttp\_http_parser.cp312-win_amd64.pyd		executable
		MD5:3B69343E88AFCB2313D7B1FB34990B9D	SHA256:—
6616	Exela.exe	C:\Users\admin\AppData\Local\Temp\_MEI66162\_overlapped.pyd		executable
		MD5:A849BFCEF664851201326A739E1DBA41	SHA256:7E23125519F4C79B0651A36DD7820E278C0B124395D7F1FB0BC7DCA78D14834B
6616	Exela.exe	C:\Users\admin\AppData\Local\Temp\_MEI66162\VCRUNTIME140.dll		executable
		MD5:BE8DBE2DC77EBE7F88F910C61AEC691A	SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
6616	Exela.exe	C:\Users\admin\AppData\Local\Temp\_MEI66162\_ssl.pyd		executable
		MD5:4DC99D3CBE1BB4B474D8C1BC70B5B7D0	SHA256:570E29E73FC398C52ABEEBB92654AC321DAD50E625C1230D919D88DA1FD8D8D0
6616	Exela.exe	C:\Users\admin\AppData\Local\Temp\_MEI66162\_socket.pyd		executable
		MD5:0A4BEC3ACC2DB020D129E0E3F2D0CD95	SHA256:3C6BB84D34E46E4FDF1BA192A4B78C4CAF9217F49208147E7C46E654D444F222

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2120	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3376	Exela.exe	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	—	—	shared
—	—	POST	200	45.112.123.227:443	https://store1.gofile.io/uploadFile	unknown	binary	439 b	—
—	—	POST	404	162.159.138.232:443	https://discord.com/api/webhooks/1286417780064915477/iSKqnXNsS38Mp3xmzImXOMuFotY4uZqvZoroyArxqZPb-kaPg4Fc2I3cBwbv2FCbCB7L	unknown	binary	45 b	—
—	—	POST	404	162.159.128.233:443	https://discord.com/api/webhooks/1286417780064915477/iSKqnXNsS38Mp3xmzImXOMuFotY4uZqvZoroyArxqZPb-kaPg4Fc2I3cBwbv2FCbCB7L	unknown	binary	45 b	—
—	—	POST	404	162.159.136.232:443	https://discord.com/api/webhooks/1286417780064915477/iSKqnXNsS38Mp3xmzImXOMuFotY4uZqvZoroyArxqZPb-kaPg4Fc2I3cBwbv2FCbCB7L	unknown	binary	45 b	—
—	—	GET	404	51.38.43.18:443	https://api.gofile.io/getServer	unknown	text	14 b	—
—	—	POST	404	162.159.136.232:443	https://discord.com/api/webhooks/1286417780064915477/iSKqnXNsS38Mp3xmzImXOMuFotY4uZqvZoroyArxqZPb-kaPg4Fc2I3cBwbv2FCbCB7L	unknown	binary	45 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	unknown
3888	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	unknown
—	—	20.189.173.10:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2120	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
3376	Exela.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	unknown
3376	Exela.exe	162.159.137.232:443	discord.com	CLOUDFLARENET	—	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	unknown
google.com	142.250.185.142	unknown
www.microsoft.com	184.30.21.171	unknown
ip-api.com	208.95.112.1	unknown
discord.com	162.159.137.232 162.159.135.232 162.159.128.233 162.159.136.232 162.159.138.232	unknown
api.gofile.io	51.38.43.18 45.112.123.126	unknown
store1.gofile.io	45.112.123.227	unknown

PID	Process	Class	Message
2256	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3376	Exela.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2256	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3376	Exela.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
3376	Exela.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
3376	Exela.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
2256	svchost.exe	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
3376	Exela.exe	Misc activity	ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
2256	svchost.exe	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)

General Info

Exela.exe

57A2DC05065B6C5BD7A16287574B44DD

D0D6EA49375492259A5C7B00E1D52B37D9DCD704

548B6D77905BFB2217782A2EA99E8E55DC2DEDDB94AF1C43E79A33161328DB26

98304:t6CRRm8ziKqhBYukWPK8YutPrCpEJg4ESq/NCz0kKBWGJMDV+ly+/9F8BZ6GHgBP:PwaX44a1I8aqVjF6v/2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Starts NET.EXE to view/add/change user profiles

Starts NET.EXE to view/change users localgroup

ExelaStealer has been detected

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

DISCORDGRABBER has been detected (YARA)

GROWTOPIA has been detected (YARA)

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Process drops python dynamic module

Executable content was dropped or overwritten

Application launched itself

Loads Python modules

Starts CMD.EXE for commands execution

Get information on the list of running processes

Uses WMIC.EXE to obtain Windows Installer data

Accesses product unique identifier via WMI (SCRIPT)

Starts application with an unusual extension

Starts POWERSHELL.EXE for commands execution

Uses ATTRIB.EXE to modify file attributes

Uses WMIC.EXE to obtain local storage devices information

Uses SYSTEMINFO.EXE to read the environment

Uses QUSER.EXE to read information about current user sessions

Uses WMIC.EXE to obtain commands that are run when users log in

Uses NETSH.EXE to obtain data on the network

Process uses ARP to discover network configuration

Starts SC.EXE for service management

Suspicious use of NETSH.EXE

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

The process bypasses the loading of PowerShell profile settings

Process uses IPCONFIG to discover network configuration

Uses ROUTE.EXE to obtain the routing table information

Checks for external IP

Possible usage of Discord/Telegram API has been detected (YARA)

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Changes the display of characters in the console

The Powershell gets current clipboard

Reads Internet Explorer settings

Reads the time zone

Checks operating system version

PyInstaller has been detected (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

UPX packer has been detected

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules