Analysis
-
max time kernel
93s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2023 02:19
Static task
static1
Behavioral task
behavioral1
Sample
Ghost Hunter Vena_d-34UG1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Ghost Hunter Vena_d-34UG1.exe
Resource
win10v2004-20231215-en
General
-
Target
Ghost Hunter Vena_d-34UG1.exe
-
Size
10.5MB
-
MD5
7c3cdfd4ec2ef7074aa6cba65aedec95
-
SHA1
b248fdaf6f4bdcb0c470059065069c931c9b6362
-
SHA256
6dea57ecfe1a092b1c434f571276426140f18b514b79128f8daee7d61cd85c63
-
SHA512
c40ba8d6663ea6a3e9125d8bcdb2cae8fc34cfc9d6b70746769d7c0921176f21a881f85a91f6f6280f7ddacd654d7ae394de01718a8210968ed8cafe2f82de52
-
SSDEEP
12288:fuI/t26BoC4OIrOdSj5KFbkj2jUUDJLLUp+ezD3iH:TuOdSf2IKRU
Malware Config
Extracted
marsstealer
Default
moscow-post.ru/blogggg/blogger.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ghost Hunter Vena_d-34UG1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation Ghost Hunter Vena_d-34UG1.exe -
Executes dropped EXE 1 IoCs
Processes:
A6XFCDNE2.exepid process 3616 A6XFCDNE2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 936 3616 WerFault.exe A6XFCDNE2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Ghost Hunter Vena_d-34UG1.exedescription pid process target process PID 1664 wrote to memory of 3616 1664 Ghost Hunter Vena_d-34UG1.exe A6XFCDNE2.exe PID 1664 wrote to memory of 3616 1664 Ghost Hunter Vena_d-34UG1.exe A6XFCDNE2.exe PID 1664 wrote to memory of 3616 1664 Ghost Hunter Vena_d-34UG1.exe A6XFCDNE2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe"2⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 14043⤵
- Program crash
PID:936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3616 -ip 36161⤵PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe
Filesize86KB
MD5061647d33aba9b76568b724b75e51fa6
SHA142fb62744aa41e2e3c78f6ad9ee690b71c9a019b
SHA2566891320b9cf5dbf1278eb5c262a19a977d199666560dab26f920967e3f387474
SHA512a606acce217895032688cc2cd88b6cbad5b80fca300b6d29c4f827b49de8732feeeba67678867f3837ca4002870fb20f849619418f2943668b3231e7f1af1628
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe
Filesize97KB
MD55573cff5bae94857755ff999d5a1fc4d
SHA16dbc943031be6f417740923b9eff0d3c849b9c33
SHA256dca3d3887c3db7ff5c182a6b50ef126f91c3ca0abdd230a828d7e9cbaf2d418f
SHA512e0ccaa55a00ab094065184d8fd23a63a2459fdf3c48a67b727afa33e62a2bb144ad3538d42874aa91c46cd72c6af5a472ea897b105412bc9c343d75cb3cb9e9c
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe
Filesize138KB
MD5ef1851b2ae7fc3b4ab80a821315e4dee
SHA1a8ff1018247ba559321c66911b58570cfce96d0d
SHA2567b2e308b97113a2d055a9fceade992868348ccfb8c5f7e60ec8a5c1f62d02431
SHA512ee604386b52e7b9c1ebbf4a35be0d17b7d7d850e5dbc4a15d146ef3b344cb1240a3f6b154e0f8df93df3052d04c0a2f724e20a2e23174a14a24db7a7dc0bb0aa