Analysis
-
max time kernel
142s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
22-09-2022 17:11
Behavioral task
behavioral1
Sample
data64_1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
data64_1.exe
Resource
win10v2004-20220812-en
General
-
Target
data64_1.exe
-
Size
159KB
-
MD5
95749d6bae439efc267962c9bc3cb2d6
-
SHA1
236763d6a739c9a68350c5e9775ea8723de2a916
-
SHA256
f464ed5d98af0625c6c4678b916aa465f47a938e1cf4ad3bf5a95d129f8fb5f9
-
SHA512
3ee8697c54d69b837f0f81979edde35049904d677a849cfcd943d45d2615581cc18e78318e8d5d35e75273d732d6e06545edca7a4000222c766b4d8789a95fc6
-
SSDEEP
3072:Um/E8k9ZjpIL+zNch12KbAwSaSbJSp8Bb8EG:N/E8k91zz6/t88EG
Malware Config
Extracted
marsstealer
Default
gg.gemkan.online/gate.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 524 1376 WerFault.exe data64_1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
data64_1.exedescription pid process target process PID 1376 wrote to memory of 524 1376 data64_1.exe WerFault.exe PID 1376 wrote to memory of 524 1376 data64_1.exe WerFault.exe PID 1376 wrote to memory of 524 1376 data64_1.exe WerFault.exe PID 1376 wrote to memory of 524 1376 data64_1.exe WerFault.exe