ExelaStealer Malware attacks Windows PCs and steals private data
FortiGuard Lab has revealed some insight into this new threat. ExelaStealer is an open-source malware that can be customized for a fee, there is a free and a paid for version.
It has been written in Python, but it can also use other languages like JavaScript when needed. It targets Windows-based systems and steals various types of information, such as passwords, credit cards, cookies, sessions, and keystrokes.
It is described as simple to use and anyone with the required skills could create an ExelaStealer binary using the freely available source code.
There’s evidence to suggest that ExelaStealer infiltrates victims’ computers through an executable masquerading as a PDF document, though this is likely not its sole delivery method.
You can read the full report on this malware here – https://www.fortinet.com/blog/threat-research/exelastealer-infostealer-enters-the-field
IOCs
File-based IOCs:
| Filename | SHA256 |
| sirket-ruhsat-pdf.exe | f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048 |
| sirket-ruhsat-pdf.exe | 95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51 |
| BNG 824 ruhsat.pdf | 5aff2c5e65d8e4e7fa0b0c310fbaef1e1da351de34fa5f1b83bfe17eeabac7ef |
| RuntimeBroker.exe | 34dca3c80cd5125091e6e4de02e86dcc6a2a6f9900e058111e457c9bce6117c0 |
| RuntimeBroker.exe | c56b23602949597352d99aff03411d620b7a5996da2cab91368de275dcfbaa44 |
Network-based IOCs:
| IOC | IOC type |
| hXXps://discord[.]com/api/webhooks/1139506512302194789/X_VYZdAHscWQ NKWvya9KWqqqTK6UjVvS86_kUy8P8OyCcPhKykCQpEqf93S_qDFVuzp8 | Discord webhook address |
Blogger at www.systemtek.co.uk