Exaramel for Windows

Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[1]

ID: S0343
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 30 January 2019
Last Modified: 17 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

Exaramel for Windows automatically encrypts files before sending them to the C2 server.[1]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV."[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Exaramel for Windows specifies a path to store files scheduled for exfiltration.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV" in an apparent attempt to masquerade as a legitimate service.[1]

Enterprise T1112 Modify Registry

Exaramel for Windows adds the configuration to the Registry in XML format.[1]

Groups That Use This Software

ID Name References
G0034 Sandworm Team

[1]

References