Malware Analysis Report

2024-10-23 19:39

Sample ID 231221-cr7cfsfchj
Target ShE8qQv970pdsiQkvoCPdggJI3RnzXRX
SHA256 09854915bafa02b6de0ee7b94d2487e7c8867563c1194ee8cb73d7e0cbc60d97
Tags
marsstealer default spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09854915bafa02b6de0ee7b94d2487e7c8867563c1194ee8cb73d7e0cbc60d97

Threat Level: Known bad

The file ShE8qQv970pdsiQkvoCPdggJI3RnzXRX was found to be: Known bad.

Malicious Activity Summary

marsstealer default spyware stealer

Mars Stealer

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-21 02:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-21 02:19

Reported

2023-12-21 02:20

Platform

win7-20231129-en

Max time kernel

50s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"

Signatures

Mars Stealer

stealer marsstealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe

"C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"

C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe

"C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 808

Network

Country Destination Domain Proto
US 8.8.8.8:53 moscow-post.ru udp
RU 185.71.67.60:80 moscow-post.ru tcp
US 8.8.8.8:53 www.moscow-post.ru udp
RU 185.71.67.60:80 www.moscow-post.ru tcp
US 8.8.8.8:53 www.moscow-post.su udp
RU 185.71.67.60:80 www.moscow-post.su tcp

Files

memory/2932-0-0x0000000000950000-0x00000000009C2000-memory.dmp

memory/2932-1-0x0000000074AF0000-0x00000000751DE000-memory.dmp

memory/2932-2-0x00000000006C0000-0x0000000000700000-memory.dmp

memory/2932-12-0x0000000000750000-0x000000000078D000-memory.dmp

memory/2620-15-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2932-14-0x0000000074AF0000-0x00000000751DE000-memory.dmp

memory/2932-13-0x0000000000750000-0x000000000078D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe

MD5 2f99ffd868c5ff919d23897058537c8e
SHA1 7f8f0cba294440026627ad86b5812b5bd5e535e6
SHA256 9660b3d526da3fe03549ef62b2dfddb3cb6f38e28f084df9e729a3b50e3e076f
SHA512 2425ade2f9670e1b8303061b0dae6b83d5f8fd686e8ea568d68de20f900e918d0d17b74b5f8e89cf0abf079374bb43c3b9f0ab7d30933abc20dc67f7b9afc443

C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe

MD5 6bdc999a6baedf655e2445d777cf4eef
SHA1 09f9372be9f20c9554d352d0571f0c8949b601d5
SHA256 51631895140e1927ca33d970f3e49500d4103c048d1a2105f8f0e2a146b927c4
SHA512 1f4cd6ed5238ba114c15413251097d952d266f3966bc7ce59aa8c8919f41efb7acc54d291cd5c1336105d1632929ea5c838f981ff13d38606ab03ec4a202d233

\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe

MD5 c68be1642adc5cb69f48b5a7605984ff
SHA1 091f7a33e6e0ddca20b5384d82edcf17feed921b
SHA256 26a05a291545b60e2218a663e3c9d629cdd0e076ec8d7adb2ca03cab80d2f3df
SHA512 0198b77c624df5639e058e46e92085410bb0f3aca2b45e9ffa9dc26588134755b5e13e213057dd6918f8f2573c214023bd04dc07b68ca329b7e5a440b2f5013f

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-21 02:19

Reported

2023-12-21 02:22

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"

Signatures

Mars Stealer

stealer marsstealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe

"C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3616 -ip 3616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1404

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 moscow-post.ru udp
RU 185.71.67.60:80 moscow-post.ru tcp
US 8.8.8.8:53 www.moscow-post.ru udp
RU 185.71.67.60:80 www.moscow-post.ru tcp
US 8.8.8.8:53 www.moscow-post.su udp
RU 185.71.67.60:80 www.moscow-post.su tcp
US 8.8.8.8:53 60.67.71.185.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1664-1-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/1664-0-0x0000000000DD0000-0x0000000000E42000-memory.dmp

memory/1664-2-0x0000000005730000-0x0000000005740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe

MD5 5573cff5bae94857755ff999d5a1fc4d
SHA1 6dbc943031be6f417740923b9eff0d3c849b9c33
SHA256 dca3d3887c3db7ff5c182a6b50ef126f91c3ca0abdd230a828d7e9cbaf2d418f
SHA512 e0ccaa55a00ab094065184d8fd23a63a2459fdf3c48a67b727afa33e62a2bb144ad3538d42874aa91c46cd72c6af5a472ea897b105412bc9c343d75cb3cb9e9c

memory/1664-13-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3616-12-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe

MD5 061647d33aba9b76568b724b75e51fa6
SHA1 42fb62744aa41e2e3c78f6ad9ee690b71c9a019b
SHA256 6891320b9cf5dbf1278eb5c262a19a977d199666560dab26f920967e3f387474
SHA512 a606acce217895032688cc2cd88b6cbad5b80fca300b6d29c4f827b49de8732feeeba67678867f3837ca4002870fb20f849619418f2943668b3231e7f1af1628

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe

MD5 ef1851b2ae7fc3b4ab80a821315e4dee
SHA1 a8ff1018247ba559321c66911b58570cfce96d0d
SHA256 7b2e308b97113a2d055a9fceade992868348ccfb8c5f7e60ec8a5c1f62d02431
SHA512 ee604386b52e7b9c1ebbf4a35be0d17b7d7d850e5dbc4a15d146ef3b344cb1240a3f6b154e0f8df93df3052d04c0a2f724e20a2e23174a14a24db7a7dc0bb0aa

memory/3616-15-0x0000000000400000-0x000000000043D000-memory.dmp