marsstealer | 50dec188746b9f3e72fe1effd96444eb8ed1b74ae86dc923ab55734b73dbbd6b

Analysis

max time kernel
137s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2022 09:16

Target

InstallerNPW.exe
Size

505.1MB
MD5

a7181bdf496d2c79b321f14de2598680
SHA1

c4f30ccc90fe2a4c392a8c7f665b831c04757553
SHA256

5390a252d7d09aa1a46aca97c8fd9642adac289a6a33d9fc6d3eb1b3f5c0194d
SHA512

a94a43eb45f30d8cfe1144c90d642480d93100cea6c77f693d25318abc98a30a279a443da5fe67e4356922ae7be651d0775361742b16cc0232c6c7c1c4f58bbe
SSDEEP

6144:gCFtTT32Sw1eIKWgpxAOzuuXUXs/nEcYY6rpohYxNJgIzMfKkve4uQLl8+:dHT32SwAguXUc/nr6rDxzUSyPLq+

Score

10^/10

Family

marsstealer

Botnet

Default

46.3.197.98/hsdf7w34rhdjsf.php

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Suspicious use of SetThreadContext 1 IoCs

Processes:

InstallerNPW.exe

description pid process target process

PID 1672 set thread context of 3924 1672 InstallerNPW.exe InstallerNPW.exe

description	pid	process	target process
PID 1672 set thread context of 3924	1672	InstallerNPW.exe	InstallerNPW.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

InstallerNPW.exe

description	pid	process	target process
PID 1672 wrote to memory of 3924	1672	InstallerNPW.exe	InstallerNPW.exe
PID 1672 wrote to memory of 3924	1672	InstallerNPW.exe	InstallerNPW.exe
PID 1672 wrote to memory of 3924	1672	InstallerNPW.exe	InstallerNPW.exe
PID 1672 wrote to memory of 3924	1672	InstallerNPW.exe	InstallerNPW.exe
PID 1672 wrote to memory of 3924	1672	InstallerNPW.exe	InstallerNPW.exe
PID 1672 wrote to memory of 3924	1672	InstallerNPW.exe	InstallerNPW.exe
PID 1672 wrote to memory of 3924	1672	InstallerNPW.exe	InstallerNPW.exe
PID 1672 wrote to memory of 3924	1672	InstallerNPW.exe	InstallerNPW.exe
PID 1672 wrote to memory of 3924	1672	InstallerNPW.exe	InstallerNPW.exe
PID 1672 wrote to memory of 3924	1672	InstallerNPW.exe	InstallerNPW.exe

C:\Users\Admin\AppData\Local\Temp\InstallerNPW.exe
"C:\Users\Admin\AppData\Local\Temp\InstallerNPW.exe"
2⤵
PID:3924

memory/3924-132-0x0000000000000000-mapping.dmp

Download
memory/3924-133-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3924-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3924-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download