marsstealer | 0ec53991141cc122eda481c75322bd9c5ab70c71a36cba7985c21917787b37da | Triage

Sharing

General

Target

PumpedUp.zip
Size

1.0MB
Sample

220916-na5cbabcel
MD5

f5bcaff54d4b52077be1b91c55837773
SHA1

ce5b30b120b6bbf78e56e1c289d90631fbed8031
SHA256

0ec53991141cc122eda481c75322bd9c5ab70c71a36cba7985c21917787b37da
SHA512

8030436ba4aefd676d4c83c6d85207851acb827ec7128409890c82254edd23d359f6bf3f5b49bf0e88bf3b21e491d91a41133a45a20fedae3d1f1ede8b769da0
SSDEEP

6144:w5H68hLV3Bq6k8up97XVeejE5++zrf3YoKZhEi+EPu1Vjr+IiZEL:oak3M6k/pDNEo+zLYcifu1BSs

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

C2

23.137.249.61/fa7hfjas.php

Targets

- Target
  
  PumpedUp.exe
- Size
  
  743.9MB
- MD5
  
  e831ccf678cfa1d780a1749ee7f78587
- SHA1
  
  f1b6098241538821819a8a19e0573aca6b5b5408
- SHA256
  
  9cbc4811e3a6682dc7e2c91de05409e9245495330f8bb72a5a12d0a5bd63556f
- SHA512
  
  b0c217c43b7df9ad269aa232142380e5e33fa29c3e6bf4a47d95636d8e8ce33c0a5394101c5e2bdf0d6352e1620c7010a517e0459e3f641ae52923376cbab7b9
- SSDEEP
  
  12288:AGLgiIVtZ7XtAJh1Upw+0/y49EkUk184RWHEScjYe:AwlQtZmJvUph0/yt7kae9ce
Score

10^/10

marsstealer default spyware stealer
- Mars Stealer
  An infostealer written in C++ based on other infostealers.
  stealer marsstealer
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

marsstealerdefaultspywarestealer

behavioral2

marsstealerdefaultspywarestealer