�����;��g�u��6�Ʈ�7"<s�J���#ڮ�VFב�A����B�������������Bpu�<)+w���&�K�4�/����̞�w�[#�]]l�Y9'��Ox'��d����Gh��������=%Kw-`��$����f�{����;�o�<f��CF�����s���^�^�����JE�s�N�7&d]!*�\z��q�[O�8_-�P��ej7S�-�]W�;NEI�Mݫ{���D�x� f➶����{�H��P!�S���c��X<�����w�4�Ә��݅K��Ȼ�J5��?N)���]��rA��Vl���.vY9 ���uġoQ#�Ps�M�1�""uq��L�����̂hm����*�3l�fMb���n�^�(��$��-�ą:c��U>��E��#��t0 ���U��끔�ו!MC�)��4 �Nւ�t�ڇtщX9=?ŷ�Ԟ�xܣ��_䤨���t�ϛ��g�Ҷ(�I&������L�Lc�N��DF�ˤ9(�/�\um�c���8z*x�O�G���8��cT Rw|���6WNP0AG��\����gG�;�˂"�L`:W�\1�?���9 �U"0�gM-k(�R�����VۋII�q̞��Ii�^�1��WV��ø�_����Jk���2Cb8_kx�����*�f���6���0�l��E��2���"k��E�J��Tq(L�\���YB'f6].4حZ��'^rڌ���'VI��ήL��hVQ2��;W�\j��,j�e�y3�o��g�ddt��������xT��랐Y�6՚ Q�-�S���B�$��+�d{b���Ċ�(I��ռ\ �Ө1�����2��%�-�������X���m1��bAe1t�ǚ6�G^w_l���� ֬��C��.X��XP�9c� S��3��S��۳a��VPF~ky��:rPs0�t��m������#�\'$4��ʊ f0��VO�:���� �8.�.�a�94���e.H���e����� �褼��M��, ][z��\`3&F�J�j�qJ�F���N �ʐ֓�I����v<�CcI��W�_�Su�qe�Ns0d�o�D����ԩ]�dZ7��i}�G �q�M�%O�C��-�fW g���<�����}ctq�8C���+�H%\�C_���-,�7�ҋT��CRq�ж�k�P �>>�U�J��b��MDF����?�/ʬ�;��E� ��l��S��*6��0�m���?�Q`�-^N��"���� ����X��V��F�P�r����Ď]�G9T����{����yhj'g��!���M��OZ`�y�`�{�-�!����ao�%$�?�6 !zG�@r(}ۗ���O��-e� 7�"���>���yHK9H�CO�91���4��F� |uKT7t/�{�)X�A틡M���3Mp��V֮*=�i�b>~`#���^,4IжFb@��c �.�u�h����м&��q�+�������, }��Xf`�^Q2�'��0���1}#��-�᩻��`fW�IW��P����V�T�"���rꁝBY��lҦ�֧ ��egI�����L��`]�j����j�w�ðz�"[k�I$��'fpq�k�g`L�!�/�:���[hM&@$>�K��&R��͂`�L���ٺ�V8�wd��8h7i�NlH |j����aQG�b��� ���1:������ӂ�:Z��B��Sp�+^!$ϣug05�Ik�Z!6�'����2*U�Yn���{ឤ�`����?ټ@��:����?Ѐ��f��iʜ��k���,�3�I/��yk��2 p]�/�;#|��a���"�t�'��M�Ⱥn@&������I|2\�H�)O��x�\�'w*�wu��7��q+�bm���h�z<g7��٪��~XPq����գOÓ��MP�?i�x�V�"�m^��S�����/�~3�|o�09c$2�������������͋H`�ac��E���w�V�q���R�``�I�9WQ��x��[ܶl5�7�V���Y�ᥥ2c�U~.�ʀ�g�zRU���V��^�}.���\��<崓�k��l ��]���QI�E4��a����f=���t��I��,�13c�SR�R�<���iD�|���(�8��x��Ls��s��Z��8��|�&�B����D����;/�� �s��hBx�j �������69l�Dx�d�4C���<"�b!c�Wp��:;�-��2G���3L���/�����;�k���t�R+[����a v�e��U�q�W�C�3��P�DU��UQ����I f��ʡ���Lj�V�r:G�ہ�/uR��1Y���(/S43����*d��^n�����1C��p�Ƭ��Ӄ��Ֆ[�U7oV�%T��=à4�K뛉�ouʵ���M:x3d�yO`�¾�/���{%D�WQChk��۹^���l#�^>e��t�$�wеT���e?�f�i �{��V9�«�vT�wd�6��:I���ː�j��J3�rM)������ҏ��}X"�L�I����hM"&�F%�6��JU;e�3��ϭk���i�ʞ�q�Jp{���ې��~D��0���,�2/c�\!:���J�ͦ��r/ x�Hվ����r1 �SN����I|v��T�T����&���� �EqA�*MȞ!9Q�|�y�4� �B���]����1% Am�E؛��ϋ�����\,4��W����J�9td����S�0������0��������V���hC��WWP|n�ˎ�3n�ݚ��+`LUij��&���ؠ����m����K!��G;���&(�I����q!%L�!J͏O�չ�@[��d���'�á�X)�5�� �J�����$q��2��;��i&o�HzL������W�%�Ĺ����(^$T'Zv���[�����%mGW_��-�L�l����a�0��tJt�Ć{��#��r���ig��K��WOHUEx=T�lV���#��.�6�wb�����5:Lo�So� ����KH��i����g��K�Oa>��I!��u \M�*�N
Behavioral task
behavioral1
Sample
8b526ff1976f1ca1fde34987043d0dfe.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8b526ff1976f1ca1fde34987043d0dfe.exe
Resource
win10v2004-20231215-en
General
-
Target
8b526ff1976f1ca1fde34987043d0dfe
-
Size
5.7MB
-
MD5
8b526ff1976f1ca1fde34987043d0dfe
-
SHA1
4148e8e132ea93c468f3cbe0bfd22e634534429e
-
SHA256
f456a8901ab04ed11142a4f5413cbba1f13778a319b0c9d4815cb4f5e542c56c
-
SHA512
17467935b180b02fd208f6e6b6a4501e8ef068ba585a498e72cbbcf17a930303105c561cfb1b865c018e106656e03a89004dcf62283536f2dbf8863461b972f0
-
SSDEEP
98304:AWRoEv+kq6JTWCyMOAqy0x1N4gPSBdBND3SzVnNTEPg+i+0H2auhP3dmt93bRs:X0kbFoy0xfxPadBN7agg80HZuh0ba
Malware Config
Extracted
marsstealer
sadasew94okl234.000webhostapp.com/d1c107a865581ff88ad673786ee059f2.php
Signatures
-
Marsstealer family
-
Processes:
resource yara_rule sample vmprotect -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 8b526ff1976f1ca1fde34987043d0dfe
Files
-
8b526ff1976f1ca1fde34987043d0dfe.exe windows:5 windows x86 arch:x86
bb92365f695a2aa3964a650a36e117f6
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
msvcrt
strstr
wtsapi32
WTSSendMessageW
kernel32
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress
user32
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW
Exports
Exports
Sections
.text Size: 69KB - Virtual size: 72KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 15KB - Virtual size: 16KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp0 Size: 6KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
LLCPPC Size: 512B - Virtual size: 60B
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp1 Size: 3.2MB - Virtual size: 3.2MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp2 Size: 2.4MB - Virtual size: 2.4MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.reloc Size: 14KB - Virtual size: 14KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ