Exaramel for Windows

Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[1]

ID: S0343
Type: MALWARE
Platforms: Windows
Version: 2.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.[1]

Enterprise T1002 Data Compressed

Exaramel for Windows automatically compresses files before sending them to the C2 server. [1]

Enterprise T1022 Data Encrypted

Exaramel for Windows automatically encrypts files before sending them to the C2 server. [1]

Enterprise T1074 Data Staged

Exaramel for Windows specifies a path to store files scheduled for exfiltration. [1]

Enterprise T1036 Masquerading

The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV" in an apparent attempt to masquerade as a legitimate service.[1]

Enterprise T1112 Modify Registry

Exaramel for Windows adds the configuration to the Registry in XML format.[1]

Enterprise T1050 New Service

The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV."[1]

Enterprise T1064 Scripting

Exaramel for Windows has a command to execute VBS and GO scripts on the victim’s machine.[1]

References