marsstealer | fbf742c40ad5a1ba5f6258244f484fac04134e839ceb95f4e3ca7b9567f6b537 | Triage

Submit
Reports

Overview

overview

Static

static

10afe23352...f9.exe

windows7-x64

10afe23352...f9.exe

windows10-2004-x64

Sharing

General

Target

7848036132.zip
Size

131KB
Sample

220805-ta2t3sefa9
MD5

6c40792aa22219223c9ac9738ce885a2
SHA1

3d5692753deddfff118962e90625dbb42a0a0334
SHA256

fbf742c40ad5a1ba5f6258244f484fac04134e839ceb95f4e3ca7b9567f6b537
SHA512

a6ebf8143dd3f180896d209c4b024d8ac60035b2091037c4fa0e1bf69e13f320bd636d1f3bebe803b95976fa7552f82f5d2889d6a43eb633aa027fc01423ed9d
SSDEEP

3072:x9SfRItIiMuWQU656zlxYu14HPyh2V5BpXYxZRssD:x9U2zfexYuuKh2V3poxZym

Score

10^/10

marsstealer default discovery spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9.exe

Resource

win7-20220718-en

marsstealer default discovery spyware stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9.exe

Resource

win10v2004-20220721-en

marsstealer default discovery spyware stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

marsstealer

Botnet

Default

C2

atomic-wallet.net/marsword/gate.php

Targets

- Target
  
  10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9
- Size
  
  171KB
- MD5
  
  10f0d3a64949a6e15a9c389059a8f379
- SHA1
  
  0f6e3442c67d6688fae5f51b4f60b78cd05f30df
- SHA256
  
  10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9
- SHA512
  
  40b19007433518aba9c19c9fdae314112a73f50ab0dcf9356a1887b44bcdbadf767be1eb0f2d4c1ba249c8791473c55e0d9f12daaed9356bf560e14d3e473c60
- SSDEEP
  
  3072:UT2zrkyQyNgBm3LT/ohHbD5pFhuQ3xVdOJnEcJSp8Bb8EG9XkP0N:iyQyeB2LTAh7D5pFhuCTG8EG9X1N
Score

10^/10

marsstealer default discovery spyware stealer
- Mars Stealer
  An infostealer written in C++ based on other infostealers.
  stealer marsstealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

marsstealerdefaultdiscoveryspywarestealer

behavioral2

marsstealerdefaultdiscoveryspywarestealer

© 2018-2024

Terms | Privacy