General
-
Target
https://files.sberdisk.ru/s/P3DeBi6dum3WFh1
-
Sample
231119-ahdmnsga83
Malware Config
Extracted
marsstealer
Default
Targets
-
-
Target
https://files.sberdisk.ru/s/P3DeBi6dum3WFh1
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Detect Xworm Payload
-
Detect ZGRat V1
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Xworm
Xworm is a remote access trojan written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-