Extracted

• • Target

    file.exe

  • Size

    879KB

  • MD5

    bd2b464bbcc0e12f585c3d300d4b7fc5

  • SHA1

    3fa46371470b2c92898e85e9b34f2462360f79be

  • SHA256

    144c0fcf6f803810d13f85bb4541c9916eb80e0d0d59bd24e03b5dd9159710df

  • SHA512

    c8fe242280f34b25fd96d2035f33c0fc06a33d887ce64717f4a4e5c8dd38b5e4bea38125563efb18f95696514d96fb0e4aae5433e49d6439c10f3e248cb1bf3a

  • SSDEEP

    24576:IKJ47SlzspERub0FCJVlvh7Ng6sCpgGMouSzNKkC1lMIftWkHvWA7:T45IftWkHvW

  Score

  10^/10

  marsstealerdefaultdiscoveryminerpersistencespywarestealervmprotect

  • Mars Stealer

    An infostealer written in C++ based on other infostealers.

    stealermarsstealer

  • Detectes Phoenix Miner Payload

    miner

  • Downloads MZ/PE file

  • Executes dropped EXE

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2