General
-
Target
nfdsame.bin
-
Size
556KB
-
Sample
220810-lfchdaabh5
-
MD5
a98781c107b2ace080273819b6686301
-
SHA1
aec10de615dc75204d257ee743cdc0e0936e8bf9
-
SHA256
200b2ed6014cf60dbc87aa964adc53304c9731a0ec90122383781b03bfb1f97a
-
SHA512
cca490fe092d5b7215687daba47b8a79c54e3194af17e14200c544ce0cf24f5b9622611dd230e0111a59736961e836bb8b734bfadf893f3f1ebbf6ea0323f67a
-
SSDEEP
12288:7CL/WvnYDWT+oNnar+B4gyvY4U+UVHoQP2XjU:7CWYDWTXNnTB4gQU+6SU
Malware Config
Extracted
marsstealer
Default
goldrushaw.ug/kanorgate.php
Targets
-
-
Target
nfdsame.bin
-
Size
556KB
-
MD5
a98781c107b2ace080273819b6686301
-
SHA1
aec10de615dc75204d257ee743cdc0e0936e8bf9
-
SHA256
200b2ed6014cf60dbc87aa964adc53304c9731a0ec90122383781b03bfb1f97a
-
SHA512
cca490fe092d5b7215687daba47b8a79c54e3194af17e14200c544ce0cf24f5b9622611dd230e0111a59736961e836bb8b734bfadf893f3f1ebbf6ea0323f67a
-
SSDEEP
12288:7CL/WvnYDWT+oNnar+B4gyvY4U+UVHoQP2XjU:7CWYDWTXNnTB4gQU+6SU
Score10/10-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-