marsstealer | 44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/10/2023, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Зоркий Глаз 5.409 (setup).exe
Size

5.9MB
MD5

f0c2a8ff2890cad08f17e607ccdda7fc
SHA1

87fbf60e9ba1d60b546347632f1884fe1c531f0f
SHA256

44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb
SHA512

4001a301c6b7295126c7bcc79122ebdd85e7976224e3399b03285cebfc623550f186c45285f78116927c2ed26496ab475d91739adc918a0b390512064651732c
SSDEEP

49152:9so8Likxo9IiDqmbTp15J+/EE8Yfbebq/9jTaOS9SW5NyBFTGbxN+owQ:

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

rakishev.org/wp-load.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Executes dropped EXE 4 IoCs

pid	Process
1872	DWFCKBOM.exe
3036	6IOKEGSR.exe
2660	6IOKEGSR.tmp
2812	C.exe

Loads dropped DLL 3 IoCs

pid	Process
3036	6IOKEGSR.exe
2660	6IOKEGSR.tmp
2660	6IOKEGSR.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2660	6IOKEGSR.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1872	1100	Зоркий Глаз 5.409 (setup).exe	30
PID 1100 wrote to memory of 1872	1100	Зоркий Глаз 5.409 (setup).exe	30
PID 1100 wrote to memory of 1872	1100	Зоркий Глаз 5.409 (setup).exe	30
PID 1100 wrote to memory of 3036	1100	Зоркий Глаз 5.409 (setup).exe	31
PID 1100 wrote to memory of 3036	1100	Зоркий Глаз 5.409 (setup).exe	31
PID 1100 wrote to memory of 3036	1100	Зоркий Глаз 5.409 (setup).exe	31
PID 1100 wrote to memory of 3036	1100	Зоркий Глаз 5.409 (setup).exe	31
PID 1100 wrote to memory of 3036	1100	Зоркий Глаз 5.409 (setup).exe	31
PID 1100 wrote to memory of 3036	1100	Зоркий Глаз 5.409 (setup).exe	31
PID 1100 wrote to memory of 3036	1100	Зоркий Глаз 5.409 (setup).exe	31
PID 3036 wrote to memory of 2660	3036	6IOKEGSR.exe	32
PID 3036 wrote to memory of 2660	3036	6IOKEGSR.exe	32
PID 3036 wrote to memory of 2660	3036	6IOKEGSR.exe	32
PID 3036 wrote to memory of 2660	3036	6IOKEGSR.exe	32
PID 3036 wrote to memory of 2660	3036	6IOKEGSR.exe	32
PID 3036 wrote to memory of 2660	3036	6IOKEGSR.exe	32
PID 3036 wrote to memory of 2660	3036	6IOKEGSR.exe	32
PID 1872 wrote to memory of 2812	1872	DWFCKBOM.exe	33
PID 1872 wrote to memory of 2812	1872	DWFCKBOM.exe	33
PID 1872 wrote to memory of 2812	1872	DWFCKBOM.exe	33
PID 1872 wrote to memory of 2812	1872	DWFCKBOM.exe	33

C:\Users\Admin\AppData\Local\Temp\Зоркий Глаз 5.409 (setup).exe
"C:\Users\Admin\AppData\Local\Temp\Зоркий Глаз 5.409 (setup).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\ProgramData\Microsoft\DWFCKBOM.exe
  "C:\ProgramData\Microsoft\DWFCKBOM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Roaming\Adobe\C.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\C.exe"
    3⤵
    - Executes dropped EXE
    PID:2812
- C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe
  "C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\is-2LNV8.tmp\6IOKEGSR.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2LNV8.tmp\6IOKEGSR.tmp" /SL5="$40196,1628111,62976,C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\DWFCKBOM.exe

Filesize
434KB

MD5
0541dbe9dc3430860997086e63db74a9

SHA1
ba922c9fb5eb75ac97ceba4c54c423f8e89d8eb5

SHA256
b34c6fa3634b5c3cc501bf21d72e82cd57b4bd9e32d22fb4e31f7d83d852b691

SHA512
32240a020bf8ce4ec593a713f49369f52b9525cc1a428fcde4fa71bd26c60ccc065e3f2c619de8a5ef1e2396d40668e65c341ec7ff53451c0e857a5afb383dcf

Download Submit
C:\ProgramData\Microsoft\DWFCKBOM.exe

Filesize
434KB

MD5
0541dbe9dc3430860997086e63db74a9

SHA1
ba922c9fb5eb75ac97ceba4c54c423f8e89d8eb5

SHA256
b34c6fa3634b5c3cc501bf21d72e82cd57b4bd9e32d22fb4e31f7d83d852b691

SHA512
32240a020bf8ce4ec593a713f49369f52b9525cc1a428fcde4fa71bd26c60ccc065e3f2c619de8a5ef1e2396d40668e65c341ec7ff53451c0e857a5afb383dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2LNV8.tmp\6IOKEGSR.tmp

Filesize
704KB

MD5
458bac8ff4cbe11156085a760de497b7

SHA1
e1661550462590f1b7671be2d539877a54bdf3bc

SHA256
65df91de6d9b3814cf3148c45136a23e4a2db676d96524e8b721385db26dbfde

SHA512
3a0a4a01e447516768247c129ed9a8ec4796eb92b0e6aa2bc2280b7481be05a06852022747b8496c4f5545d849f97e28feda49258e405fbeb656ed9bc2247ce6

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\C.exe

Filesize
159KB

MD5
dc04cd84d39f8ad4354de37702a9a980

SHA1
db928ad60a7c29d5f5287b5f984d2e78fa64479a

SHA256
5f239096c327b22c21c0205dde0d8dc4c41f458be802f74f54cdc5ba38921668

SHA512
a98f7aebf4237e5768c8fffa00e758b9549cf24e06cced7bef509dcca4c77c8097f91aa1bfdc4616f23ae66aa780004ed79f796401be0a35b2e4a9080f1d5401

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\C.exe

Filesize
159KB

MD5
dc04cd84d39f8ad4354de37702a9a980

SHA1
db928ad60a7c29d5f5287b5f984d2e78fa64479a

SHA256
5f239096c327b22c21c0205dde0d8dc4c41f458be802f74f54cdc5ba38921668

SHA512
a98f7aebf4237e5768c8fffa00e758b9549cf24e06cced7bef509dcca4c77c8097f91aa1bfdc4616f23ae66aa780004ed79f796401be0a35b2e4a9080f1d5401

Download Submit
C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe

Filesize
1.8MB

MD5
92902065645b8747ea3cbed5eb3bc288

SHA1
dc47d1b6ec4a2dcb518b6777d54afb1528873a05

SHA256
919f781fcf6f439fb2b44146f027f42cca71a07e8c0e56baf5fa0f3640c77e93

SHA512
c6d3fa98b117a967310c9e7f39177d2db8c788186dcc6fd6a93699366088ce08c066b98bb708f9442e64d412f62b74e88f3b26a18344baa80896dbd09081bdc4

Download Submit
C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe

Filesize
1.8MB

MD5
92902065645b8747ea3cbed5eb3bc288

SHA1
dc47d1b6ec4a2dcb518b6777d54afb1528873a05

SHA256
919f781fcf6f439fb2b44146f027f42cca71a07e8c0e56baf5fa0f3640c77e93

SHA512
c6d3fa98b117a967310c9e7f39177d2db8c788186dcc6fd6a93699366088ce08c066b98bb708f9442e64d412f62b74e88f3b26a18344baa80896dbd09081bdc4

Download Submit
\Users\Admin\AppData\Local\Temp\is-2LNV8.tmp\6IOKEGSR.tmp

Filesize
704KB

MD5
458bac8ff4cbe11156085a760de497b7

SHA1
e1661550462590f1b7671be2d539877a54bdf3bc

SHA256
65df91de6d9b3814cf3148c45136a23e4a2db676d96524e8b721385db26dbfde

SHA512
3a0a4a01e447516768247c129ed9a8ec4796eb92b0e6aa2bc2280b7481be05a06852022747b8496c4f5545d849f97e28feda49258e405fbeb656ed9bc2247ce6

Download Submit
\Users\Admin\AppData\Local\Temp\is-4F0VR.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-4F0VR.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1100-1-0x0000000000C50000-0x0000000001242000-memory.dmp

Filesize
5.9MB

Download
memory/1100-42-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1100-0-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1100-41-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-14-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/1872-8-0x0000000000E20000-0x0000000000E92000-memory.dmp

Filesize
456KB

Download
memory/1872-11-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-40-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-46-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2660-45-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2660-31-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2812-33-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2812-61-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3036-43-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3036-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3036-15-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download