Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 19:59
Behavioral task
behavioral1
Sample
8b526ff1976f1ca1fde34987043d0dfe.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8b526ff1976f1ca1fde34987043d0dfe.exe
Resource
win10v2004-20231215-en
General
-
Target
8b526ff1976f1ca1fde34987043d0dfe.exe
-
Size
5.7MB
-
MD5
8b526ff1976f1ca1fde34987043d0dfe
-
SHA1
4148e8e132ea93c468f3cbe0bfd22e634534429e
-
SHA256
f456a8901ab04ed11142a4f5413cbba1f13778a319b0c9d4815cb4f5e542c56c
-
SHA512
17467935b180b02fd208f6e6b6a4501e8ef068ba585a498e72cbbcf17a930303105c561cfb1b865c018e106656e03a89004dcf62283536f2dbf8863461b972f0
-
SSDEEP
98304:AWRoEv+kq6JTWCyMOAqy0x1N4gPSBdBND3SzVnNTEPg+i+0H2auhP3dmt93bRs:X0kbFoy0xfxPadBN7agg80HZuh0ba
Malware Config
Extracted
marsstealer
sadasew94okl234.000webhostapp.com/d1c107a865581ff88ad673786ee059f2.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2512-0-0x0000000000400000-0x00000000009B5000-memory.dmp vmprotect behavioral1/memory/2512-15-0x0000000000400000-0x00000000009B5000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
8b526ff1976f1ca1fde34987043d0dfe.exepid process 2512 8b526ff1976f1ca1fde34987043d0dfe.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2800 2512 WerFault.exe 8b526ff1976f1ca1fde34987043d0dfe.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8b526ff1976f1ca1fde34987043d0dfe.exepid process 2512 8b526ff1976f1ca1fde34987043d0dfe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8b526ff1976f1ca1fde34987043d0dfe.exedescription pid process target process PID 2512 wrote to memory of 2800 2512 8b526ff1976f1ca1fde34987043d0dfe.exe WerFault.exe PID 2512 wrote to memory of 2800 2512 8b526ff1976f1ca1fde34987043d0dfe.exe WerFault.exe PID 2512 wrote to memory of 2800 2512 8b526ff1976f1ca1fde34987043d0dfe.exe WerFault.exe PID 2512 wrote to memory of 2800 2512 8b526ff1976f1ca1fde34987043d0dfe.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b526ff1976f1ca1fde34987043d0dfe.exe"C:\Users\Admin\AppData\Local\Temp\8b526ff1976f1ca1fde34987043d0dfe.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 8082⤵
- Program crash
PID:2800