marsstealer | f26a5adb365053bf4a3729bfbf8864a4ec773888382245ddd8a3a6cc11840511

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ge‮piz.exe
Size

437KB
MD5

f17fb798ac933fab58a40afe23313ffd
SHA1

e14f54c039644d669bc8ae35121ff484bcfbc683
SHA256

f26a5adb365053bf4a3729bfbf8864a4ec773888382245ddd8a3a6cc11840511
SHA512

a4d7aceb9761e05bb500c7de34fd3e77ab3423753755bb41bae7aad1632b1a7da085915c9a8ba4fc63bba3b92e55292bbde20945453f55f3548040dddee3fea0
SSDEEP

12288:JkSpMucPgZUlb2hSsOabxNSulZdVFxWEvjZCZ9Iex8L5uflu:UXe8hxy+s

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Executes dropped EXE 1 IoCs

pid	Process
1668	ZX16UV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1668	836	ge‮piz.exe	28
PID 836 wrote to memory of 1668	836	ge‮piz.exe	28
PID 836 wrote to memory of 1668	836	ge‮piz.exe	28
PID 836 wrote to memory of 1668	836	ge‮piz.exe	28

C:\Users\Admin\AppData\Local\Temp\ge‮piz.exe
"C:\Users\Admin\AppData\Local\Temp\ge‮piz.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\ZX16UV.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\ZX16UV.exe"
  2⤵
  - Executes dropped EXE
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\ZX16UV.exe

Filesize
159KB

MD5
ee284686ee0aae914c67d638ccf5c609

SHA1
5dfaf67ac948ad5d0c81c75be72d1f5e98b5c95d

SHA256
5f8dbddd39bc3d6496d3c4f38b559733ac345c825f20733f8526bfe55560b2b5

SHA512
48fc668d0074ed0003133a7716782d88708a756ac8e0f8b86eb1c1780f37e1f64eb89250b5af944a311116c782d0ce6a5f73344baf4b07e6f69e1299f1338b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\ZX16UV.exe

Filesize
159KB

MD5
ee284686ee0aae914c67d638ccf5c609

SHA1
5dfaf67ac948ad5d0c81c75be72d1f5e98b5c95d

SHA256
5f8dbddd39bc3d6496d3c4f38b559733ac345c825f20733f8526bfe55560b2b5

SHA512
48fc668d0074ed0003133a7716782d88708a756ac8e0f8b86eb1c1780f37e1f64eb89250b5af944a311116c782d0ce6a5f73344baf4b07e6f69e1299f1338b1a

Download Submit
memory/836-0-0x0000000000D80000-0x0000000000DF2000-memory.dmp

Filesize
456KB

Download
memory/836-1-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/836-10-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1668-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1668-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download