General
-
Target
SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
-
Size
622KB
-
Sample
230111-jc11fsfc5s
-
MD5
a1eb9b01ff7b80dac067728bc1476c55
-
SHA1
40be959c6151c3a224189045084c0c729540390d
-
SHA256
a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b
-
SHA512
bde60cd01dcfcba0053279725c9cae50b3941c3471bc41eddf8e287934f8f11e2218d9d5245b2cabae5a7ca58f5f66aaf4bb76c908e9f4d0fe4e03224d60ca33
-
SSDEEP
12288:AcWJ+6nT8mlodoRNnKRpj25w3Ng1ADX9rMIbyyjRt:AXBn1lodo6jf3NgMBxOyj/
Malware Config
Extracted
marsstealer
Default
152.89.218.97/gate.php
Targets
-
-
Target
SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
-
Size
622KB
-
MD5
a1eb9b01ff7b80dac067728bc1476c55
-
SHA1
40be959c6151c3a224189045084c0c729540390d
-
SHA256
a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b
-
SHA512
bde60cd01dcfcba0053279725c9cae50b3941c3471bc41eddf8e287934f8f11e2218d9d5245b2cabae5a7ca58f5f66aaf4bb76c908e9f4d0fe4e03224d60ca33
-
SSDEEP
12288:AcWJ+6nT8mlodoRNnKRpj25w3Ng1ADX9rMIbyyjRt:AXBn1lodo6jf3NgMBxOyj/
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-