File name:	nuker.exe
Full analysis:	https://app.any.run/tasks/c25e99a1-e78f-4a38-b8cd-d3a6aa491759
Verdict:	Malicious activity
Threats:	Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 13, 2025, 17:59:07
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	python stealer evasion exela discord screenshot pyinstaller susp-powershell ims-api generic discordgrabber growtopia upx rust
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	86F16EA4E8118A29B3D14E379C923AAC
SHA1:	A2C482FA274F12F4E32A0BCD32A5648A784A21CA
SHA256:	86C2BFA1421C2103E72217C27A8C5A9D6D8DF4DE533125B1C8AF362097D5A0D1
SSDEEP:	196608:EtMyz9vmA0g6ahC2qeX9Q+LrnoccGJfv9C9+12CGqzaxAtTQkZc:CMyz936a6WPrJcQu+1YoT3i

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:28 17:46:00+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	25698816
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x18841ee
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	nuker.exe
LegalCopyright:
OriginalFileName:	nuker.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(7152) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31173789
(PID) Process:	(7152) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:

PID	Process	Filename		Type
516	nuker.exe	C:\Users\admin\AppData\Local\Temp\rainy.exe		executable
		MD5:B1558352F2E971929693AEE887A16B87	SHA256:628363695D45AE82465D6DCCF04C2A7C5481C4659C45866EADAB542FB71C06BA
1056	dfwx.exe	C:\Users\admin\AppData\Local\Temp\_MEI10562\_asyncio.pyd		executable
		MD5:1B8CE772A230A5DA8CBDCCD8914080A5	SHA256:FA5A1E7031DE5849AB2AB5A177E366B41E1DF6BBD90C8D2418033A01C740771F
1056	dfwx.exe	C:\Users\admin\AppData\Local\Temp\_MEI10562\VCRUNTIME140.dll		executable
		MD5:F12681A472B9DD04A812E16096514974	SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
516	nuker.exe	C:\Users\admin\AppData\Local\Temp\dfwx.exe		executable
		MD5:FE56A37AD91C2EA626459621345EC7B2	SHA256:538B368FCCBF6A5146F49F07575E20EC56584C9DD53B2D29D7404665FFDF2541
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\_lzma.pyd		executable
		MD5:337B0E65A856568778E25660F77BC80A	SHA256:613DE58E4A9A80EFF8F8BC45C350A6EAEBF89F85FFD2D7E3B0B266BF0888A60A
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\_ctypes.pyd		executable
		MD5:6A9CA97C039D9BBB7ABF40B53C851198	SHA256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\_bz2.pyd		executable
		MD5:4101128E19134A4733028CFAAFC2F3BB	SHA256:5843872D5E2B08F138A71FE9BA94813AFEE59C8B48166D4A8EB0F606107A7E80
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\_asyncio.pyd		executable
		MD5:2859C39887921DAD2FF41FEDA44FE174	SHA256:AEBC378DB08617EA81A0A3A3BC044BCC7E6303E314630392DD51BAB12F879BD9
1056	dfwx.exe	C:\Users\admin\AppData\Local\Temp\_MEI10562\_decimal.pyd		executable
		MD5:E9501519A447B13DCCA19E09140C9E84	SHA256:6B5FE2DEA13B84E40B0278D1702AA29E9E2091F9DC09B64BBFF5FD419A604C3C
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\_multiprocessing.pyd		executable
		MD5:1386DBC6DCC5E0BE6FEF05722AE572EC	SHA256:0AE3BF383FF998886F97576C55D6BF0A076C24395CF6FCD2265316E9A6E8C007

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6388	dfwx.exe	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	—	—	whitelisted
—	—	GET	304	4.245.163.56:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
—	—	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2644	SIHClient.exe	GET	200	23.48.23.183:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
2644	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
2644	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	200	13.95.31.18:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	unknown
2644	SIHClient.exe	GET	200	23.48.23.183:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
—	—	GET	200	4.245.163.56:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	unknown
2644	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6388	dfwx.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
6388	dfwx.exe	162.159.128.233:443	discord.com	CLOUDFLARENET	—	whitelisted
2644	SIHClient.exe	4.245.163.56:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2644	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19 23.48.23.183 23.48.23.193 23.48.23.181 23.48.23.137 23.48.23.138 23.48.23.194 23.48.23.180 23.48.23.140 23.48.23.177	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.249	whitelisted
ip-api.com	208.95.112.1	whitelisted
discord.com	162.159.128.233 162.159.137.232 162.159.135.232 162.159.136.232 162.159.138.232	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
api.gofile.io	51.91.7.6 45.112.123.126	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6388	dfwx.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2196	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6388	dfwx.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
6388	dfwx.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
—	—	Misc activity	ET HUNTING Discord WebHook Activity M2 (Contains Key, embeds)
6388	dfwx.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
6388	dfwx.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI

General Info

nuker.exe

86F16EA4E8118A29B3D14E379C923AAC

A2C482FA274F12F4E32A0BCD32A5648A784A21CA

86C2BFA1421C2103E72217C27A8C5A9D6D8DF4DE533125B1C8AF362097D5A0D1

196608:EtMyz9vmA0g6ahC2qeX9Q+LrnoccGJfv9C9+12CGqzaxAtTQkZc:CMyz936a6WPrJcQu+1YoT3i

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

Actions looks like stealing of personal data

ExelaStealer has been detected

Starts NET.EXE to view/add/change user profiles

Starts NET.EXE to view/change users localgroup

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

DISCORDGRABBER has been detected (YARA)

GROWTOPIA has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process drops C-runtime libraries

Starts a Microsoft application from unusual location

Uses WMIC.EXE to obtain Windows Installer data

Process drops python dynamic module

Loads Python modules

Application launched itself

Get information on the list of running processes

Starts CMD.EXE for commands execution

Accesses product unique identifier via WMI (SCRIPT)

Uses ATTRIB.EXE to modify file attributes

Starts application with an unusual extension

Checks for external IP

Uses NETSH.EXE to obtain data on the network

Uses SYSTEMINFO.EXE to read the environment

Uses WMIC.EXE to obtain local storage devices information

Uses QUSER.EXE to read information about current user sessions

Starts POWERSHELL.EXE for commands execution

Uses WMIC.EXE to obtain commands that are run when users log in

Process uses IPCONFIG to discover network configuration

Uses ROUTE.EXE to obtain the routing table information

Process uses ARP to discover network configuration

Windows service management via SC.EXE

Starts SC.EXE for service management

Suspicious use of NETSH.EXE

BASE64 encoded PowerShell command has been detected

The process bypasses the loading of PowerShell profile settings

CSC.EXE is used to compile C# code

Base64-obfuscated command line is found

Captures screenshot (POWERSHELL)

Multiple wallet extension IDs have been found

Possible usage of Discord/Telegram API has been detected (YARA)

INFO

Reads the machine GUID from the registry

Checks supported languages

Reads the computer name

Create files in a temporary directory

The sample compiled with english language support

Process checks computer location settings

Reads security settings of Internet Explorer

Creates files or folders in the user directory

The Powershell gets current clipboard

Changes the display of characters in the console

Checks operating system version

Reads the time zone

Prints a route via ROUTE.EXE

PyInstaller has been detected (YARA)

Attempting to use instant messaging service

Found Base64 encoded reflection usage via PowerShell (YARA)

UPX packer has been detected

Application based on Rust

Checks proxy server information

Reads the software policy settings

Malware configuration

ims-api