Resubmissions

22-09-2022 17:11

220922-vqfr8afgdp 10

20-09-2022 11:34

220920-npqsgachd6 10

General

  • Target

    ffea36eb362bd7a6e654afb51fc067931e46e4e6d54f5a4e2159a9c51c3f1f7c

  • Size

    159KB

  • Sample

    220920-npqsgachd6

  • MD5

    b5c6ac787feb4612d8ec375ce35b6a7d

  • SHA1

    2425ebf40b339d9f32aef1122aa2e832c8d51bd6

  • SHA256

    ffea36eb362bd7a6e654afb51fc067931e46e4e6d54f5a4e2159a9c51c3f1f7c

  • SHA512

    1a9c843067bd3ea7d264a16ebcc7d1fdb57c25e3a3ec0e0bf0ea85272224b0286a09a3c68fc38f40bd81af1b9d9038de90b432e2507f5c0404108cc73f698061

  • SSDEEP

    3072:Um/E8k9ZjpIL+zNch12KbAwSaSbJSp8Bb8EG:N/E8k91zz6/t88EG

Malware Config

Extracted

Family

arkei

Botnet

Default

Extracted

Family

marsstealer

Botnet

Default

C2

mars.haksanlogistics.com/gate.php

Targets

    • Target

      ffea36eb362bd7a6e654afb51fc067931e46e4e6d54f5a4e2159a9c51c3f1f7c

    • Size

      159KB

    • MD5

      b5c6ac787feb4612d8ec375ce35b6a7d

    • SHA1

      2425ebf40b339d9f32aef1122aa2e832c8d51bd6

    • SHA256

      ffea36eb362bd7a6e654afb51fc067931e46e4e6d54f5a4e2159a9c51c3f1f7c

    • SHA512

      1a9c843067bd3ea7d264a16ebcc7d1fdb57c25e3a3ec0e0bf0ea85272224b0286a09a3c68fc38f40bd81af1b9d9038de90b432e2507f5c0404108cc73f698061

    • SSDEEP

      3072:Um/E8k9ZjpIL+zNch12KbAwSaSbJSp8Bb8EG:N/E8k91zz6/t88EG

    • Mars Stealer

      An infostealer written in C++ based on other infostealers.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks