Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
22/09/2022, 17:12 UTC
General
-
Target
f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe
-
Size
159KB
-
MD5
95749d6bae439efc267962c9bc3cb2d6
-
SHA1
236763d6a739c9a68350c5e9775ea8723de2a916
-
SHA256
f464ed5d98af0625c6c4678b916aa465f47a938e1cf4ad3bf5a95d129f8fb5f9
-
SHA512
3ee8697c54d69b837f0f81979edde35049904d677a849cfcd943d45d2615581cc18e78318e8d5d35e75273d732d6e06545edca7a4000222c766b4d8789a95fc6
-
SSDEEP
3072:Um/E8k9ZjpIL+zNch12KbAwSaSbJSp8Bb8EG:N/E8k91zz6/t88EG
Score
10/10
Malware Config
Extracted
Family
marsstealer
Botnet
Default
C2
gg.gemkan.online/gate.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe"C:\Users\Admin\AppData\Local\Temp\f464ed5d98af0625c6c4678b916aa465f47a938e1cf4a.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 13762⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1348 -ip 13481⤵
Network
-
DNSgg.gemkan.onlineRemote address:8.8.8.8:53Requestgg.gemkan.onlineIN AResponsegg.gemkan.onlineIN A203.175.9.27 -
GEThttp://gg.gemkan.online/gate.phpRemote address:203.175.9.27:80RequestGET /gate.php HTTP/1.1
Host: gg.gemkan.online
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
Date: Thu, 22 Sep 2022 17:12:55 GMT
Server: Apache
Location: http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
Content-Length: 233
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
GEThttp://gg.gemkan.online/cgi-sys/suspendedpage.cgiRemote address:203.175.9.27:80RequestGET /cgi-sys/suspendedpage.cgi HTTP/1.1
Host: gg.gemkan.online
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 22 Sep 2022 17:12:55 GMT
Server: Apache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
-
GEThttp://gg.gemkan.online/requestRemote address:203.175.9.27:80RequestGET /request HTTP/1.1
Host: gg.gemkan.online
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
Date: Thu, 22 Sep 2022 17:12:56 GMT
Server: Apache
Location: http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
Content-Length: 233
Content-Type: text/html; charset=iso-8859-1
-
GEThttp://gg.gemkan.online/cgi-sys/suspendedpage.cgiRemote address:203.175.9.27:80RequestGET /cgi-sys/suspendedpage.cgi HTTP/1.1
Host: gg.gemkan.online
Cache-Control: no-cache
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 22 Sep 2022 17:12:56 GMT
Server: Apache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
-
203.175.9.27:80http://gg.gemkan.online/cgi-sys/suspendedpage.cgihttp
HTTP Request
GET http://gg.gemkan.online/gate.phpHTTP Response
302HTTP Request
GET http://gg.gemkan.online/cgi-sys/suspendedpage.cgiHTTP Response
200HTTP Request
GET http://gg.gemkan.online/requestHTTP Response
302HTTP Request
GET http://gg.gemkan.online/cgi-sys/suspendedpage.cgiHTTP Response
200
-
8.8.8.8:53gg.gemkan.onlinedns
DNS Request
gg.gemkan.online
DNS Response
203.175.9.27
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
-
Filesize
244KB