Keypoints
- ExelaStealer is written in Python and offered both as open-source code and a paid, customizable builder advertised on Telegram by a handle named “quicaxd.”
- The builder uses obf.py to obfuscate source code; the main payload lives in Exela.py and is packaged into a PyInstaller executable (Obfuscated.pyc / Obfuscated.py).
- A dropper named sirket-ruhsat-pdf.exe deploys a second executable and launches a benign decoy PDF, depositing files in the C: root to hide malicious activity.
- Dynamic behavior includes spawning a second process, running commands to gather Windows version and UUID, executing base64-encoded PowerShell to capture screenshots, and copying clipboard images.
- Collected artifacts include systeminfo, user lists, startup items, firewall state, WLAN profiles, and browser-stored credentials/cookies; data is saved under C:UsersAppDataLocalTemp and zipped.
- Exfiltration is performed by sending the zip archive to a threat-actor-controlled Discord channel via a Discord webhook URL found in the collected files.
- IOCs published include multiple file SHA256 hashes for the dropper/payload and a Discord webhook address for data exfiltration.
MITRE Techniques
- [T1027] Obfuscated Files or Information – The builder obfuscates the malware code with a script: ‘The builder uses a file named “obf.py” to make the calls necessary to obfuscate ExelaStealer’s code.’
- [T1059.001] PowerShell – The sample executes an encoded PowerShell command to capture screen content: ‘a base-64 encoded PowerShell command.’
- [T1113] Screen Capture – The decoded PowerShell command captures a screenshot: ‘this command attempts to grab a screenshot of whatever is currently displayed on the screen.’
- [T1115] Clipboard Data – The malware copies images from the Windows clipboard to disk: ‘These commands copy images from the Clipboard…’
- [T1555.003] Credentials from Web Browsers – ExelaStealer harvests browser-stored secrets such as passwords, cookies, and session data: ‘It can steal sensitive information from a Windows-based host (e.g., passwords, credit cards, cookies and session data, and general keylogging).’
- [T1056.001] Input Capture: Keylogging – The malware performs general keylogging to capture typed data: ‘general keylogging’
- [T1082] System Information Discovery – The dropper collects OS version and system UUID using ver and wmic: ‘These collect the version of Windows and the host’s UUID (Universally Unique Identifier).’
- [T1567] Exfiltration Over Web Service – Collected data is posted to a TA-controlled channel using a Discord webhook: ‘This is then sent using a Discord webhook … to post to a TA-controlled Discord channel.’
- [T1036] Masquerading – The executable claims a legitimate process name and appears signed with an invalid certificate to blend in: ‘The executable is most likely signed with a fraudulent or invalid certificate and uses the name “Runtime Broker,” a legitimate Microsoft process.’
Indicators of Compromise
- [Filename / SHA256] dropper and payload – sirket-ruhsat-pdf.exe: f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048, 95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51
- [Filename / SHA256] decoy PDF – BNG 824 ruhsat.pdf: 5aff2c5e65d8e4e7fa0b0c310fbaef1e1da351de34fa5f1b83bfe17eeabac7ef (decoy document displayed to user)
- [Filename / SHA256] masquerading runtime binary – RuntimeBroker.exe: 34dca3c80cd5125091e6e4de02e86dcc6a2a6f9900e058111e457c9bce6117c0, c56b23602949597352d99aff03411d620b7a5996da2cab91368de275dcfbaa44
- [Network] Discord webhook (exfiltration endpoint) – hXXps://discord[.]com/api/webhooks/1139506512302194789/X_VYZdAHscWQ… (used to post zipped stolen data to TA-controlled Discord channel)
ExelaStealer technical procedure (concise rewrite):
Building: ExelaStealer’s primary source is Exela.py; the builder (invoked via a Windows batch file that calls builder.py) can produce binaries on Windows only. During build the project runs obf.py to obfuscate non-library code, yielding an Obfuscated.py that is compiled into a PyInstaller bundle (Obfuscated.pyc) so analysts see a packed, obfuscated payload rather than plain source. Analysts can extract the PyInstaller archive (e.g., with pyinstxtractor) and decode the embedded blob using the provided decoding functions to recover Exela.py for inspection.
Deployment and local activity: The observed installer/dropper (sirket-ruhsat-pdf.exe) acts as a first-stage container: it writes itself and a second executable plus a benign decoy PDF to disk (C: root) and launches a PDF viewer to distract the user. The dropper spawns a second process, runs commands to collect OS version and UUID (ver; wmic csproduct get uuid), and executes a base64-encoded PowerShell payload that captures a screenshot. The malware runs additional CLI and PowerShell commands to dump clipboard images, systeminfo, user lists, startup entries, firewall state, and wlan profiles (netsh wlan show/export), storing all output under C:UsersAppDataLocalTemp.
Exfiltration: After collection, ExelaStealer compresses the UUID-named folder into a ZIP and transmits it to the actor via a Discord webhook URL embedded in the collected text files. The overall chain—Python source → obfuscation → PyInstaller packaging → PyInstaller extraction/decoding → local collection → zip → Discord webhook—enables relatively straightforward recovery of Exela.py by reversing the blob decoding but provides runtime evasion and a simple web-service exfiltration channel for the threat actor.
Read more: https://www.fortinet.com/blog/threat-research/exelastealer-infostealer-enters-the-field