marsstealer | 69779c8531872ce18a47e818dea9e838f240cd9c38781880ef322a447cfd7d83

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ResourceHacker.exe
Size

434KB
MD5

66b3a222bcf3464b389c9d7a697e3f05
SHA1

3958ae2a5824e7cba1409798f34bc1b9ac05ce2b
SHA256

69779c8531872ce18a47e818dea9e838f240cd9c38781880ef322a447cfd7d83
SHA512

2018369c510a69e07c01bf4c28ae87a8f8e615494bff5f7967c17bf75b5a17aabab37afaa32a6e83543b378ebf91862aa7414d4c6be65da174578ad83f6316ef
SSDEEP

12288:gY+jwDMVvTaEDwWaLrBV77u96a/duPXz5E4sUFqr8orLS:OmWGHHxQ8Yf

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

151.236.218.158/wp/blog.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	ResourceHacker.exe

Executes dropped EXE 1 IoCs

pid	Process
1476	PAV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 1476	1528	ResourceHacker.exe	82
PID 1528 wrote to memory of 1476	1528	ResourceHacker.exe	82
PID 1528 wrote to memory of 1476	1528	ResourceHacker.exe	82

C:\Users\Admin\AppData\Local\Temp\ResourceHacker.exe
"C:\Users\Admin\AppData\Local\Temp\ResourceHacker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Roaming\Adobe\PAV.exe
  "C:\Users\Admin\AppData\Roaming\Adobe\PAV.exe"
  2⤵
  - Executes dropped EXE
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\PAV.exe

Filesize
159KB

MD5
9ba4cc9fc466953be23da2b8f6103c5c

SHA1
8a8ae46201bf0911f5566b909dab0c9f0eff38c0

SHA256
7877c08fba0ff1a892650af1ddbecb5dff4f66d7f0b3d705815947392710a197

SHA512
af1da9977e4a4cd83611dbe1690ba6c09cf919777c80de9d3ec1afb40d10e7eb56617746f0ca171cac1ab7c99f5656fb6b69589daa352ff931db260d2822be82

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\PAV.exe

Filesize
159KB

MD5
9ba4cc9fc466953be23da2b8f6103c5c

SHA1
8a8ae46201bf0911f5566b909dab0c9f0eff38c0

SHA256
7877c08fba0ff1a892650af1ddbecb5dff4f66d7f0b3d705815947392710a197

SHA512
af1da9977e4a4cd83611dbe1690ba6c09cf919777c80de9d3ec1afb40d10e7eb56617746f0ca171cac1ab7c99f5656fb6b69589daa352ff931db260d2822be82

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\PAV.exe

Filesize
159KB

MD5
9ba4cc9fc466953be23da2b8f6103c5c

SHA1
8a8ae46201bf0911f5566b909dab0c9f0eff38c0

SHA256
7877c08fba0ff1a892650af1ddbecb5dff4f66d7f0b3d705815947392710a197

SHA512
af1da9977e4a4cd83611dbe1690ba6c09cf919777c80de9d3ec1afb40d10e7eb56617746f0ca171cac1ab7c99f5656fb6b69589daa352ff931db260d2822be82

Download Submit
memory/1476-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1476-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1528-0-0x0000000000960000-0x00000000009D2000-memory.dmp

Filesize
456KB

Download
memory/1528-2-0x00007FFB67650000-0x00007FFB68111000-memory.dmp

Filesize
10.8MB

Download
memory/1528-3-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/1528-13-0x00007FFB67650000-0x00007FFB68111000-memory.dmp

Filesize
10.8MB

Download