Analysis
-
max time kernel
50s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-12-2023 02:19
Static task
static1
Behavioral task
behavioral1
Sample
Ghost Hunter Vena_d-34UG1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Ghost Hunter Vena_d-34UG1.exe
Resource
win10v2004-20231215-en
General
-
Target
Ghost Hunter Vena_d-34UG1.exe
-
Size
10.5MB
-
MD5
7c3cdfd4ec2ef7074aa6cba65aedec95
-
SHA1
b248fdaf6f4bdcb0c470059065069c931c9b6362
-
SHA256
6dea57ecfe1a092b1c434f571276426140f18b514b79128f8daee7d61cd85c63
-
SHA512
c40ba8d6663ea6a3e9125d8bcdb2cae8fc34cfc9d6b70746769d7c0921176f21a881f85a91f6f6280f7ddacd654d7ae394de01718a8210968ed8cafe2f82de52
-
SSDEEP
12288:fuI/t26BoC4OIrOdSj5KFbkj2jUUDJLLUp+ezD3iH:TuOdSf2IKRU
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
GKJAF.exepid process 2620 GKJAF.exe -
Loads dropped DLL 5 IoCs
Processes:
Ghost Hunter Vena_d-34UG1.exeWerFault.exepid process 2932 Ghost Hunter Vena_d-34UG1.exe 2932 Ghost Hunter Vena_d-34UG1.exe 2668 WerFault.exe 2668 WerFault.exe 2668 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2668 2620 WerFault.exe GKJAF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Ghost Hunter Vena_d-34UG1.exeGKJAF.exedescription pid process target process PID 2932 wrote to memory of 2620 2932 Ghost Hunter Vena_d-34UG1.exe GKJAF.exe PID 2932 wrote to memory of 2620 2932 Ghost Hunter Vena_d-34UG1.exe GKJAF.exe PID 2932 wrote to memory of 2620 2932 Ghost Hunter Vena_d-34UG1.exe GKJAF.exe PID 2932 wrote to memory of 2620 2932 Ghost Hunter Vena_d-34UG1.exe GKJAF.exe PID 2620 wrote to memory of 2668 2620 GKJAF.exe WerFault.exe PID 2620 wrote to memory of 2668 2620 GKJAF.exe WerFault.exe PID 2620 wrote to memory of 2668 2620 GKJAF.exe WerFault.exe PID 2620 wrote to memory of 2668 2620 GKJAF.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe"C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 8083⤵
- Loads dropped DLL
- Program crash
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD52f99ffd868c5ff919d23897058537c8e
SHA17f8f0cba294440026627ad86b5812b5bd5e535e6
SHA2569660b3d526da3fe03549ef62b2dfddb3cb6f38e28f084df9e729a3b50e3e076f
SHA5122425ade2f9670e1b8303061b0dae6b83d5f8fd686e8ea568d68de20f900e918d0d17b74b5f8e89cf0abf079374bb43c3b9f0ab7d30933abc20dc67f7b9afc443
-
Filesize
51KB
MD56bdc999a6baedf655e2445d777cf4eef
SHA109f9372be9f20c9554d352d0571f0c8949b601d5
SHA25651631895140e1927ca33d970f3e49500d4103c048d1a2105f8f0e2a146b927c4
SHA5121f4cd6ed5238ba114c15413251097d952d266f3966bc7ce59aa8c8919f41efb7acc54d291cd5c1336105d1632929ea5c838f981ff13d38606ab03ec4a202d233
-
Filesize
159KB
MD5c68be1642adc5cb69f48b5a7605984ff
SHA1091f7a33e6e0ddca20b5384d82edcf17feed921b
SHA25626a05a291545b60e2218a663e3c9d629cdd0e076ec8d7adb2ca03cab80d2f3df
SHA5120198b77c624df5639e058e46e92085410bb0f3aca2b45e9ffa9dc26588134755b5e13e213057dd6918f8f2573c214023bd04dc07b68ca329b7e5a440b2f5013f