Analysis
-
max time kernel
89s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2023 02:25
Static task
static1
Behavioral task
behavioral1
Sample
Ghost Hunter Vena_d-34UG1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Ghost Hunter Vena_d-34UG1.exe
Resource
win10v2004-20231215-en
General
-
Target
Ghost Hunter Vena_d-34UG1.exe
-
Size
10.5MB
-
MD5
7c3cdfd4ec2ef7074aa6cba65aedec95
-
SHA1
b248fdaf6f4bdcb0c470059065069c931c9b6362
-
SHA256
6dea57ecfe1a092b1c434f571276426140f18b514b79128f8daee7d61cd85c63
-
SHA512
c40ba8d6663ea6a3e9125d8bcdb2cae8fc34cfc9d6b70746769d7c0921176f21a881f85a91f6f6280f7ddacd654d7ae394de01718a8210968ed8cafe2f82de52
-
SSDEEP
12288:fuI/t26BoC4OIrOdSj5KFbkj2jUUDJLLUp+ezD3iH:TuOdSf2IKRU
Malware Config
Extracted
marsstealer
Default
moscow-post.ru/blogggg/blogger.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ghost Hunter Vena_d-34UG1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation Ghost Hunter Vena_d-34UG1.exe -
Executes dropped EXE 1 IoCs
Processes:
L81A33P7OS2JZL.exepid process 3260 L81A33P7OS2JZL.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4944 3260 WerFault.exe L81A33P7OS2JZL.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Ghost Hunter Vena_d-34UG1.exedescription pid process target process PID 5088 wrote to memory of 3260 5088 Ghost Hunter Vena_d-34UG1.exe L81A33P7OS2JZL.exe PID 5088 wrote to memory of 3260 5088 Ghost Hunter Vena_d-34UG1.exe L81A33P7OS2JZL.exe PID 5088 wrote to memory of 3260 5088 Ghost Hunter Vena_d-34UG1.exe L81A33P7OS2JZL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\ProgramData\WindowsHolographicDevices\L81A33P7OS2JZL.exe"C:\ProgramData\WindowsHolographicDevices\L81A33P7OS2JZL.exe"2⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 14043⤵
- Program crash
PID:4944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3260 -ip 32601⤵PID:3120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159KB
MD5c68be1642adc5cb69f48b5a7605984ff
SHA1091f7a33e6e0ddca20b5384d82edcf17feed921b
SHA25626a05a291545b60e2218a663e3c9d629cdd0e076ec8d7adb2ca03cab80d2f3df
SHA5120198b77c624df5639e058e46e92085410bb0f3aca2b45e9ffa9dc26588134755b5e13e213057dd6918f8f2573c214023bd04dc07b68ca329b7e5a440b2f5013f