marsstealer | 2f1dbad2bc8a6b152996dcb415f01ff0350e75119663914aade45be5beb3f024

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2023 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

少女被干屁眼的唯美肛交色情视频.exe
Size

11.4MB
MD5

ea90ad0eff7026613e7ec2b865606a7c
SHA1

ecf19163b425c94cfee2d39c83ee02763a6dd022
SHA256

2f1dbad2bc8a6b152996dcb415f01ff0350e75119663914aade45be5beb3f024
SHA512

9dd35f881c8dd3c0ace4835c0169c58e247b1d610d6924df5d7d3f0e1839280adc1bfb22c6fad361a9d7b3c79e56fad916cd6fe2e60354db561c6bb545ffc297
SSDEEP

12288:/T9t8OedF3+2r2gnz+YJtOsuXUHmT3eSFnOVyFsH:7ofnzTtCJPi

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

kenesrakishev.net/wp-admin/admin-ajax.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	少女被干屁眼的唯美肛交色情视频.exe

Executes dropped EXE 1 IoCs

pid	Process
4152	U2YTUM4K.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 4152	3364	少女被干屁眼的唯美肛交色情视频.exe	85
PID 3364 wrote to memory of 4152	3364	少女被干屁眼的唯美肛交色情视频.exe	85
PID 3364 wrote to memory of 4152	3364	少女被干屁眼的唯美肛交色情视频.exe	85

C:\Users\Admin\AppData\Local\Temp\少女被干屁眼的唯美肛交色情视频.exe
"C:\Users\Admin\AppData\Local\Temp\少女被干屁眼的唯美肛交色情视频.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3364
- C:\ProgramData\USOShared\U2YTUM4K.exe
  "C:\ProgramData\USOShared\U2YTUM4K.exe"
  2⤵
  - Executes dropped EXE
  PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOShared\U2YTUM4K.exe

Filesize
159KB

MD5
6f8e78dd0f22b61244bb69827e0dbdc3

SHA1
1884d9fd265659b6bd66d980ca8b776b40365b87

SHA256
a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5

SHA512
5611a83616380f55e7b42bb0eef35d65bd43ca5f96bf77f343fc9700e7dfaa7dcf4f6ecbb2349ac9df6ab77edd1051b9b0f7a532859422302549f5b81004632d

Download Submit
C:\ProgramData\USOShared\U2YTUM4K.exe

Filesize
159KB

MD5
6f8e78dd0f22b61244bb69827e0dbdc3

SHA1
1884d9fd265659b6bd66d980ca8b776b40365b87

SHA256
a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5

SHA512
5611a83616380f55e7b42bb0eef35d65bd43ca5f96bf77f343fc9700e7dfaa7dcf4f6ecbb2349ac9df6ab77edd1051b9b0f7a532859422302549f5b81004632d

Download Submit
C:\ProgramData\USOShared\U2YTUM4K.exe

Filesize
159KB

MD5
6f8e78dd0f22b61244bb69827e0dbdc3

SHA1
1884d9fd265659b6bd66d980ca8b776b40365b87

SHA256
a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5

SHA512
5611a83616380f55e7b42bb0eef35d65bd43ca5f96bf77f343fc9700e7dfaa7dcf4f6ecbb2349ac9df6ab77edd1051b9b0f7a532859422302549f5b81004632d

Download Submit
memory/3364-0-0x0000000000140000-0x00000000001B6000-memory.dmp

Filesize
472KB

Download
memory/3364-1-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3364-2-0x0000000005050000-0x00000000055F4000-memory.dmp

Filesize
5.6MB

Download
memory/3364-12-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/3364-13-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3364-15-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4152-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4152-25-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download