marsstealer | f456a8901ab04ed11142a4f5413cbba1f13778a319b0c9d4815cb4f5e542c56c | Triage

Submit
Reports

Overview

overview

Static

static

8b526ff197...fe.exe

windows7-x64

8b526ff197...fe.exe

windows10-2004-x64

Sharing

General

Target

8b526ff1976f1ca1fde34987043d0dfe
Size

5.7MB
Sample

231219-yqc8waghgp
MD5

8b526ff1976f1ca1fde34987043d0dfe
SHA1

4148e8e132ea93c468f3cbe0bfd22e634534429e
SHA256

f456a8901ab04ed11142a4f5413cbba1f13778a319b0c9d4815cb4f5e542c56c
SHA512

17467935b180b02fd208f6e6b6a4501e8ef068ba585a498e72cbbcf17a930303105c561cfb1b865c018e106656e03a89004dcf62283536f2dbf8863461b972f0
SSDEEP

98304:AWRoEv+kq6JTWCyMOAqy0x1N4gPSBdBND3SzVnNTEPg+i+0H2auhP3dmt93bRs:X0kbFoy0xfxPadBN7agg80HZuh0ba

Score

10^/10

marsstealer spyware stealer vmprotect

Static task

static1

vmprotect marsstealer

3 signatures

Behavioral task

behavioral1

Sample

8b526ff1976f1ca1fde34987043d0dfe.exe

Resource

win7-20231215-en

marsstealer spyware stealer vmprotect

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

8b526ff1976f1ca1fde34987043d0dfe.exe

Resource

win10v2004-20231215-en

marsstealer spyware stealer vmprotect

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

marsstealer

C2

sadasew94okl234.000webhostapp.com/d1c107a865581ff88ad673786ee059f2.php

Targets

- Target
  
  8b526ff1976f1ca1fde34987043d0dfe
- Size
  
  5.7MB
- MD5
  
  8b526ff1976f1ca1fde34987043d0dfe
- SHA1
  
  4148e8e132ea93c468f3cbe0bfd22e634534429e
- SHA256
  
  f456a8901ab04ed11142a4f5413cbba1f13778a319b0c9d4815cb4f5e542c56c
- SHA512
  
  17467935b180b02fd208f6e6b6a4501e8ef068ba585a498e72cbbcf17a930303105c561cfb1b865c018e106656e03a89004dcf62283536f2dbf8863461b972f0
- SSDEEP
  
  98304:AWRoEv+kq6JTWCyMOAqy0x1N4gPSBdBND3SzVnNTEPg+i+0H2auhP3dmt93bRs:X0kbFoy0xfxPadBN7agg80HZuh0ba
Score

10^/10

marsstealer spyware stealer vmprotect
- Mars Stealer
  An infostealer written in C++ based on other infostealers.
  stealer marsstealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

vmprotectmarsstealer

behavioral1

marsstealerspywarestealervmprotect

behavioral2

marsstealerspywarestealervmprotect

© 2018-2024

Terms | Privacy