File name:	nuker.exe
Full analysis:	https://app.any.run/tasks/c25e99a1-e78f-4a38-b8cd-d3a6aa491759
Verdict:	Malicious activity
Threats:	Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 13, 2025, 17:59:07
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	python stealer evasion exela discord screenshot pyinstaller susp-powershell ims-api generic discordgrabber growtopia upx rust
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	86F16EA4E8118A29B3D14E379C923AAC
SHA1:	A2C482FA274F12F4E32A0BCD32A5648A784A21CA
SHA256:	86C2BFA1421C2103E72217C27A8C5A9D6D8DF4DE533125B1C8AF362097D5A0D1
SSDEEP:	196608:EtMyz9vmA0g6ahC2qeX9Q+LrnoccGJfv9C9+12CGqzaxAtTQkZc:CMyz936a6WPrJcQu+1YoT3i

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:28 17:46:00+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	25698816
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x18841ee
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	nuker.exe
LegalCopyright:
OriginalFileName:	nuker.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(7152) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31173789
(PID) Process:	(7152) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:

PID	Process	Filename		Type
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\_ctypes.pyd		executable
		MD5:6A9CA97C039D9BBB7ABF40B53C851198	SHA256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\VCRUNTIME140.dll		executable
		MD5:F12681A472B9DD04A812E16096514974	SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\_cffi_backend.cp311-win_amd64.pyd		executable
		MD5:739D352BD982ED3957D376A9237C9248	SHA256:9AEE90CF7980C8FF694BB3FFE06C71F87EB6A613033F73E3174A732648D39980
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\_bz2.pyd		executable
		MD5:4101128E19134A4733028CFAAFC2F3BB	SHA256:5843872D5E2B08F138A71FE9BA94813AFEE59C8B48166D4A8EB0F606107A7E80
1056	dfwx.exe	C:\Users\admin\AppData\Local\Temp\_MEI10562\_bz2.pyd		executable
		MD5:80C69A1D87F0C82D6C4268E5A8213B78	SHA256:307359F1B2552B60839385EB63D74CBFE75CD5EFDB4E7CD0BB7D296FA67D8A87
1056	dfwx.exe	C:\Users\admin\AppData\Local\Temp\_MEI10562\_asyncio.pyd		executable
		MD5:1B8CE772A230A5DA8CBDCCD8914080A5	SHA256:FA5A1E7031DE5849AB2AB5A177E366B41E1DF6BBD90C8D2418033A01C740771F
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\_decimal.pyd		executable
		MD5:D47E6ACF09EAD5774D5B471AB3AB96FF	SHA256:D0DF57988A74ACD50B2D261E8B5F2C25DA7B940EC2AAFBEE444C277552421E6E
3100	rainy.exe	C:\Users\admin\AppData\Local\Temp\_MEI31002\_lzma.pyd		executable
		MD5:337B0E65A856568778E25660F77BC80A	SHA256:613DE58E4A9A80EFF8F8BC45C350A6EAEBF89F85FFD2D7E3B0B266BF0888A60A
516	nuker.exe	C:\Users\admin\AppData\Local\Temp\dfwx.exe		executable
		MD5:FE56A37AD91C2EA626459621345EC7B2	SHA256:538B368FCCBF6A5146F49F07575E20EC56584C9DD53B2D29D7404665FFDF2541
1056	dfwx.exe	C:\Users\admin\AppData\Local\Temp\_MEI10562\VCRUNTIME140.dll		executable
		MD5:F12681A472B9DD04A812E16096514974	SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	4.245.163.56:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
6388	dfwx.exe	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	—	—	whitelisted
—	—	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2644	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
2644	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
2644	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2644	SIHClient.exe	GET	200	23.48.23.183:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
2644	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	13.95.31.18:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
2644	SIHClient.exe	GET	200	23.48.23.183:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6388	dfwx.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
6388	dfwx.exe	162.159.128.233:443	discord.com	CLOUDFLARENET	—	whitelisted
2644	SIHClient.exe	4.245.163.56:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2644	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19 23.48.23.183 23.48.23.193 23.48.23.181 23.48.23.137 23.48.23.138 23.48.23.194 23.48.23.180 23.48.23.140 23.48.23.177	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.249	whitelisted
ip-api.com	208.95.112.1	whitelisted
discord.com	162.159.128.233 162.159.137.232 162.159.135.232 162.159.136.232 162.159.138.232	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
api.gofile.io	51.91.7.6 45.112.123.126	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6388	dfwx.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2196	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6388	dfwx.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
6388	dfwx.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
—	—	Misc activity	ET HUNTING Discord WebHook Activity M2 (Contains Key, embeds)
6388	dfwx.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
6388	dfwx.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI

General Info

nuker.exe

86F16EA4E8118A29B3D14E379C923AAC

A2C482FA274F12F4E32A0BCD32A5648A784A21CA

86C2BFA1421C2103E72217C27A8C5A9D6D8DF4DE533125B1C8AF362097D5A0D1

196608:EtMyz9vmA0g6ahC2qeX9Q+LrnoccGJfv9C9+12CGqzaxAtTQkZc:CMyz936a6WPrJcQu+1YoT3i

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

ExelaStealer has been detected

Starts NET.EXE to view/add/change user profiles

Starts NET.EXE to view/change users localgroup

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

GROWTOPIA has been detected (YARA)

DISCORDGRABBER has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

The process drops C-runtime libraries

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Application launched itself

Loads Python modules

Get information on the list of running processes

Reads the date of Windows installation

Accesses product unique identifier via WMI (SCRIPT)

Starts CMD.EXE for commands execution

Uses ATTRIB.EXE to modify file attributes

Uses WMIC.EXE to obtain Windows Installer data

Process drops python dynamic module

Starts POWERSHELL.EXE for commands execution

Starts application with an unusual extension

Uses NETSH.EXE to obtain data on the network

Uses SYSTEMINFO.EXE to read the environment

Checks for external IP

Uses QUSER.EXE to read information about current user sessions

Uses WMIC.EXE to obtain commands that are run when users log in

Process uses IPCONFIG to discover network configuration

Uses ROUTE.EXE to obtain the routing table information

Uses WMIC.EXE to obtain local storage devices information

Windows service management via SC.EXE

Starts SC.EXE for service management

Suspicious use of NETSH.EXE

BASE64 encoded PowerShell command has been detected

The process bypasses the loading of PowerShell profile settings

Process uses ARP to discover network configuration

Possible usage of Discord/Telegram API has been detected (YARA)

CSC.EXE is used to compile C# code

Captures screenshot (POWERSHELL)

Base64-obfuscated command line is found

Multiple wallet extension IDs have been found

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

The sample compiled with english language support

Process checks computer location settings

Create files in a temporary directory

Reads security settings of Internet Explorer

Creates files or folders in the user directory

The Powershell gets current clipboard

Changes the display of characters in the console

Checks operating system version

Reads the time zone

Prints a route via ROUTE.EXE

PyInstaller has been detected (YARA)

Attempting to use instant messaging service

Found Base64 encoded reflection usage via PowerShell (YARA)

Application based on Rust

Checks proxy server information

Reads the software policy settings

UPX packer has been detected

Malware configuration

ims-api