marsstealer | 69779c8531872ce18a47e818dea9e838f240cd9c38781880ef322a447cfd7d83

Analysis

max time kernel
145s
max time network
164s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ResourceHacker.exe
Size

434KB
MD5

66b3a222bcf3464b389c9d7a697e3f05
SHA1

3958ae2a5824e7cba1409798f34bc1b9ac05ce2b
SHA256

69779c8531872ce18a47e818dea9e838f240cd9c38781880ef322a447cfd7d83
SHA512

2018369c510a69e07c01bf4c28ae87a8f8e615494bff5f7967c17bf75b5a17aabab37afaa32a6e83543b378ebf91862aa7414d4c6be65da174578ad83f6316ef
SSDEEP

12288:gY+jwDMVvTaEDwWaLrBV77u96a/duPXz5E4sUFqr8orLS:OmWGHHxQ8Yf

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

151.236.218.158/wp/blog.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Executes dropped EXE 1 IoCs

pid	Process
2584	K929FE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2584	1968	ResourceHacker.exe	29
PID 1968 wrote to memory of 2584	1968	ResourceHacker.exe	29
PID 1968 wrote to memory of 2584	1968	ResourceHacker.exe	29
PID 1968 wrote to memory of 2584	1968	ResourceHacker.exe	29

C:\Users\Admin\AppData\Local\Temp\ResourceHacker.exe
"C:\Users\Admin\AppData\Local\Temp\ResourceHacker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\K929FE.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\K929FE.exe"
  2⤵
  - Executes dropped EXE
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\K929FE.exe

Filesize
159KB

MD5
9ba4cc9fc466953be23da2b8f6103c5c

SHA1
8a8ae46201bf0911f5566b909dab0c9f0eff38c0

SHA256
7877c08fba0ff1a892650af1ddbecb5dff4f66d7f0b3d705815947392710a197

SHA512
af1da9977e4a4cd83611dbe1690ba6c09cf919777c80de9d3ec1afb40d10e7eb56617746f0ca171cac1ab7c99f5656fb6b69589daa352ff931db260d2822be82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\K929FE.exe

Filesize
159KB

MD5
9ba4cc9fc466953be23da2b8f6103c5c

SHA1
8a8ae46201bf0911f5566b909dab0c9f0eff38c0

SHA256
7877c08fba0ff1a892650af1ddbecb5dff4f66d7f0b3d705815947392710a197

SHA512
af1da9977e4a4cd83611dbe1690ba6c09cf919777c80de9d3ec1afb40d10e7eb56617746f0ca171cac1ab7c99f5656fb6b69589daa352ff931db260d2822be82

Download Submit
memory/1968-0-0x0000000001270000-0x00000000012E2000-memory.dmp

Filesize
456KB

Download
memory/1968-1-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-2-0x0000000000390000-0x0000000000410000-memory.dmp

Filesize
512KB

Download
memory/1968-11-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2584-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2584-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download