marsstealer | 566a36b032dc9b2547ca992342151ca1b1d7673e727358f1316c8c67a62ca8a6

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

utweb_installer.exe
Size

5.7MB
MD5

5d735b58f9fe896247dfd619893b830c
SHA1

8fa7c334c12112a61af7177c47e3b824d44e1963
SHA256

566a36b032dc9b2547ca992342151ca1b1d7673e727358f1316c8c67a62ca8a6
SHA512

a9348f244aa7ff90ad0db73ae119ed94d3469caa59978883dd51de952ee166c1ed1f96ecaab218c746e5b7e5ffdfae71b8305f3319741527b81ec0db96b39db2
SSDEEP

49152:SuUT9ho5s6WlsNgoJSFLu2xbpju1rvK1dfZXwPsaYwwZQlF2whluVg8GxNrgnWJk:

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

rakishev.org/wp-mail.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	utweb_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	TM7WLP7X.exe

Executes dropped EXE 4 IoCs

pid	Process
400	TM7WLP7X.exe
1184	7DGS6T0R.exe
2800	D.exe
4648	7DGS6T0R.tmp

Loads dropped DLL 2 IoCs

pid	Process
4648	7DGS6T0R.tmp
4648	7DGS6T0R.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 400	648	utweb_installer.exe	87
PID 648 wrote to memory of 400	648	utweb_installer.exe	87
PID 648 wrote to memory of 1184	648	utweb_installer.exe	88
PID 648 wrote to memory of 1184	648	utweb_installer.exe	88
PID 648 wrote to memory of 1184	648	utweb_installer.exe	88
PID 400 wrote to memory of 2800	400	TM7WLP7X.exe	90
PID 400 wrote to memory of 2800	400	TM7WLP7X.exe	90
PID 400 wrote to memory of 2800	400	TM7WLP7X.exe	90
PID 1184 wrote to memory of 4648	1184	7DGS6T0R.exe	91
PID 1184 wrote to memory of 4648	1184	7DGS6T0R.exe	91
PID 1184 wrote to memory of 4648	1184	7DGS6T0R.exe	91

C:\Users\Admin\AppData\Local\Temp\utweb_installer.exe
"C:\Users\Admin\AppData\Local\Temp\utweb_installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:648
- C:\ProgramData\WindowsHolographicDevices\TM7WLP7X.exe
  "C:\ProgramData\WindowsHolographicDevices\TM7WLP7X.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Roaming\Adobe\D.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\D.exe"
    3⤵
    - Executes dropped EXE
    PID:2800
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\7DGS6T0R.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\7DGS6T0R.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\is-06QSM.tmp\7DGS6T0R.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-06QSM.tmp\7DGS6T0R.tmp" /SL5="$70090,897608,818688,C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\7DGS6T0R.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevices\TM7WLP7X.exe

Filesize
434KB

MD5
2505deadb75f1a5b4a873a13e8db878e

SHA1
690a6bc8736382db35c0249540a6c1c00168cbd7

SHA256
beb7d4011abd1bf49a62df646c8450fa5945bd27cd5895b995452dc85899a9a6

SHA512
5fcea8848d3b358aebaa2e6fab22e950ff3fec41315c6721f3b930451dd5ae80fe95442d41574d4a9b3ef2775226503845ee61b6b9595b3f6e42bcb37c03020c

Download Submit
C:\ProgramData\WindowsHolographicDevices\TM7WLP7X.exe

Filesize
434KB

MD5
2505deadb75f1a5b4a873a13e8db878e

SHA1
690a6bc8736382db35c0249540a6c1c00168cbd7

SHA256
beb7d4011abd1bf49a62df646c8450fa5945bd27cd5895b995452dc85899a9a6

SHA512
5fcea8848d3b358aebaa2e6fab22e950ff3fec41315c6721f3b930451dd5ae80fe95442d41574d4a9b3ef2775226503845ee61b6b9595b3f6e42bcb37c03020c

Download Submit
C:\ProgramData\WindowsHolographicDevices\TM7WLP7X.exe

Filesize
434KB

MD5
2505deadb75f1a5b4a873a13e8db878e

SHA1
690a6bc8736382db35c0249540a6c1c00168cbd7

SHA256
beb7d4011abd1bf49a62df646c8450fa5945bd27cd5895b995452dc85899a9a6

SHA512
5fcea8848d3b358aebaa2e6fab22e950ff3fec41315c6721f3b930451dd5ae80fe95442d41574d4a9b3ef2775226503845ee61b6b9595b3f6e42bcb37c03020c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\7DGS6T0R.exe

Filesize
1.7MB

MD5
a308d01eaa587d15fc7d41a0394c8c76

SHA1
78802ead2c2fca2de29a0e8b9877cc50706be14b

SHA256
543ceaeb949f608d2a8b89612e89a172d1e37f06171fe573ac48ed928ae94e0b

SHA512
affcc3297b851b1695f01258a684bc3d37bf34e2c8faeba0b5d3367dcf46bc132876ca2d5d9ebbc4f3d8209ce85ceb0b7c5b84c7b33a78969e892410e5c53aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\7DGS6T0R.exe

Filesize
1.7MB

MD5
a308d01eaa587d15fc7d41a0394c8c76

SHA1
78802ead2c2fca2de29a0e8b9877cc50706be14b

SHA256
543ceaeb949f608d2a8b89612e89a172d1e37f06171fe573ac48ed928ae94e0b

SHA512
affcc3297b851b1695f01258a684bc3d37bf34e2c8faeba0b5d3367dcf46bc132876ca2d5d9ebbc4f3d8209ce85ceb0b7c5b84c7b33a78969e892410e5c53aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\7DGS6T0R.exe

Filesize
1.7MB

MD5
a308d01eaa587d15fc7d41a0394c8c76

SHA1
78802ead2c2fca2de29a0e8b9877cc50706be14b

SHA256
543ceaeb949f608d2a8b89612e89a172d1e37f06171fe573ac48ed928ae94e0b

SHA512
affcc3297b851b1695f01258a684bc3d37bf34e2c8faeba0b5d3367dcf46bc132876ca2d5d9ebbc4f3d8209ce85ceb0b7c5b84c7b33a78969e892410e5c53aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-06QSM.tmp\7DGS6T0R.tmp

Filesize
3.0MB

MD5
f3b9af66873bfcd6b636312afe163da1

SHA1
9676d7cce088ed6715c524a80bd4c47ec264efc1

SHA256
6a9b5e1e482e7edb48436ef2572f9789c556aa357e2e0e0f0ecc799224614497

SHA512
2fff77f6e461fb493ce3c75b215836b11c87e5a55171d733b3281db05f7baaf17b4a165b3113030f49e4679cb14922094e51ef490cca819fc79c16715c6f7384

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-68CTV.tmp\Logo.png

Filesize
12KB

MD5
a00cfe887e254c462ad0c6a6d3fb25b6

SHA1
c603a192e23df46c719febf07fd4207c96b1f0f9

SHA256
bca0271f56f7384942ff3affb79fa78ccdceabf7dda89ad3c138226da324cdb1

SHA512
6dc95a05e2712d85067aa92144f7e00871d2f60e377c6df0253e3ff48a02280d4148578fbbf22018693227bdcc035a8bd391f3c390aed39ca58749f28fc19862

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-68CTV.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-68CTV.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-68CTV.tmp\uTorrent.png

Filesize
24KB

MD5
b2163b465c31d3be9350fe76428ca388

SHA1
8f9c1294c953df03cace44a6b75e118e2d30f28e

SHA256
83efcb5c0c18bb4a4f116252711da5e1fb238aa851e6e108a47884efde1bbc22

SHA512
4247fc5c725dc92758037eb5ba4084e3d341c2b277ff78bdd6fd093639cfe22006d611aa4f9ace9ff52a2fdad1014df8dfa4390e2de9772954f092240796c633

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\D.exe

Filesize
159KB

MD5
cdae01e46ea3123bae7b1d77bbf9d3a9

SHA1
59d84c8b2d5058331ea076dac6c71bd8512d04bc

SHA256
3630911c356752e83799548176fbf7e90c59b2abf9b4dfa773bc896b325cab5e

SHA512
ba3988589ac0c0ba6d7dc02aadd49b1d81b084e871e272634c5880fbc5f39c00ee4410bd5a1ece087188891e903995b68fc02301a9b6e3823839cd7d890741ae

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\D.exe

Filesize
159KB

MD5
cdae01e46ea3123bae7b1d77bbf9d3a9

SHA1
59d84c8b2d5058331ea076dac6c71bd8512d04bc

SHA256
3630911c356752e83799548176fbf7e90c59b2abf9b4dfa773bc896b325cab5e

SHA512
ba3988589ac0c0ba6d7dc02aadd49b1d81b084e871e272634c5880fbc5f39c00ee4410bd5a1ece087188891e903995b68fc02301a9b6e3823839cd7d890741ae

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\D.exe

Filesize
159KB

MD5
cdae01e46ea3123bae7b1d77bbf9d3a9

SHA1
59d84c8b2d5058331ea076dac6c71bd8512d04bc

SHA256
3630911c356752e83799548176fbf7e90c59b2abf9b4dfa773bc896b325cab5e

SHA512
ba3988589ac0c0ba6d7dc02aadd49b1d81b084e871e272634c5880fbc5f39c00ee4410bd5a1ece087188891e903995b68fc02301a9b6e3823839cd7d890741ae

Download Submit
memory/400-21-0x00007FFCB81B0000-0x00007FFCB8C71000-memory.dmp

Filesize
10.8MB

Download
memory/400-20-0x00000000000B0000-0x0000000000122000-memory.dmp

Filesize
456KB

Download
memory/400-26-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/400-38-0x00007FFCB81B0000-0x00007FFCB8C71000-memory.dmp

Filesize
10.8MB

Download
memory/648-68-0x00007FFCB81B0000-0x00007FFCB8C71000-memory.dmp

Filesize
10.8MB

Download
memory/648-0-0x0000000000760000-0x0000000000D16000-memory.dmp

Filesize
5.7MB

Download
memory/648-1-0x00007FFCB81B0000-0x00007FFCB8C71000-memory.dmp

Filesize
10.8MB

Download
memory/648-62-0x00007FFCB81B0000-0x00007FFCB8C71000-memory.dmp

Filesize
10.8MB

Download
memory/1184-24-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1184-63-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2800-36-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-91-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4648-52-0x0000000003990000-0x000000000399F000-memory.dmp

Filesize
60KB

Download
memory/4648-41-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4648-66-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4648-67-0x0000000003990000-0x000000000399F000-memory.dmp

Filesize
60KB

Download
memory/4648-69-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download