Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 19:59
Behavioral task
behavioral1
Sample
8b526ff1976f1ca1fde34987043d0dfe.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8b526ff1976f1ca1fde34987043d0dfe.exe
Resource
win10v2004-20231215-en
General
-
Target
8b526ff1976f1ca1fde34987043d0dfe.exe
-
Size
5.7MB
-
MD5
8b526ff1976f1ca1fde34987043d0dfe
-
SHA1
4148e8e132ea93c468f3cbe0bfd22e634534429e
-
SHA256
f456a8901ab04ed11142a4f5413cbba1f13778a319b0c9d4815cb4f5e542c56c
-
SHA512
17467935b180b02fd208f6e6b6a4501e8ef068ba585a498e72cbbcf17a930303105c561cfb1b865c018e106656e03a89004dcf62283536f2dbf8863461b972f0
-
SSDEEP
98304:AWRoEv+kq6JTWCyMOAqy0x1N4gPSBdBND3SzVnNTEPg+i+0H2auhP3dmt93bRs:X0kbFoy0xfxPadBN7agg80HZuh0ba
Malware Config
Extracted
marsstealer
sadasew94okl234.000webhostapp.com/d1c107a865581ff88ad673786ee059f2.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4984-0-0x0000000000400000-0x00000000009B5000-memory.dmp vmprotect behavioral2/memory/4984-7-0x0000000000400000-0x00000000009B5000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
8b526ff1976f1ca1fde34987043d0dfe.exepid process 4984 8b526ff1976f1ca1fde34987043d0dfe.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 532 4984 WerFault.exe 8b526ff1976f1ca1fde34987043d0dfe.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8b526ff1976f1ca1fde34987043d0dfe.exepid process 4984 8b526ff1976f1ca1fde34987043d0dfe.exe 4984 8b526ff1976f1ca1fde34987043d0dfe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b526ff1976f1ca1fde34987043d0dfe.exe"C:\Users\Admin\AppData\Local\Temp\8b526ff1976f1ca1fde34987043d0dfe.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 13882⤵
- Program crash
PID:532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4984 -ip 49841⤵PID:4904