marsstealer | c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503

General

Target

InstallShieldSetup.exe
Size

465KB
MD5

1578590b1e0234b07316d604370a087b
SHA1

ef865b18e16d6a74e38d3aba0d09600d0d450e3e
SHA256

c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503
SHA512

4ab2b5847ca31f07dbdb9d7043d462f8556562f30b23827f8b75bc15b4c57e295d56cc93a71a9ab45468ffd985452c79cd89975d3acd13f1146097687f33b974
SSDEEP

12288:YOZQdNMfxzE94hzovW/0NiqjAQeaDVI9VyvSBwoYE6xPqd2cftuw2:YYZqrNiTqaBb

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

6AN3PYFOS7.exe

pid process

2884 6AN3PYFOS7.exe

pid	process
2884	6AN3PYFOS7.exe

Loads dropped DLL 8 IoCs

Processes:

InstallShieldSetup.exe6AN3PYFOS7.exeWerFault.exe

pid	process
2520	InstallShieldSetup.exe
2520	InstallShieldSetup.exe
2884	6AN3PYFOS7.exe
2884	6AN3PYFOS7.exe
2884	6AN3PYFOS7.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2640 2884 WerFault.exe 6AN3PYFOS7.exe

pid	pid_target	process	target process
2640	2884	WerFault.exe	6AN3PYFOS7.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

InstallShieldSetup.exe6AN3PYFOS7.exe

description	pid	process	target process
PID 2520 wrote to memory of 2884	2520	InstallShieldSetup.exe	6AN3PYFOS7.exe
PID 2520 wrote to memory of 2884	2520	InstallShieldSetup.exe	6AN3PYFOS7.exe
PID 2520 wrote to memory of 2884	2520	InstallShieldSetup.exe	6AN3PYFOS7.exe
PID 2520 wrote to memory of 2884	2520	InstallShieldSetup.exe	6AN3PYFOS7.exe
PID 2520 wrote to memory of 2884	2520	InstallShieldSetup.exe	6AN3PYFOS7.exe
PID 2520 wrote to memory of 2884	2520	InstallShieldSetup.exe	6AN3PYFOS7.exe
PID 2520 wrote to memory of 2884	2520	InstallShieldSetup.exe	6AN3PYFOS7.exe
PID 2884 wrote to memory of 2640	2884	6AN3PYFOS7.exe	WerFault.exe
PID 2884 wrote to memory of 2640	2884	6AN3PYFOS7.exe	WerFault.exe
PID 2884 wrote to memory of 2640	2884	6AN3PYFOS7.exe	WerFault.exe
PID 2884 wrote to memory of 2640	2884	6AN3PYFOS7.exe	WerFault.exe
PID 2884 wrote to memory of 2640	2884	6AN3PYFOS7.exe	WerFault.exe
PID 2884 wrote to memory of 2640	2884	6AN3PYFOS7.exe	WerFault.exe
PID 2884 wrote to memory of 2640	2884	6AN3PYFOS7.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\InstallShieldSetup.exe
"C:\Users\Admin\AppData\Local\Temp\InstallShieldSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exe
"C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 872
3⤵
- Loads dropped DLL
- Program crash
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exe
Filesize
132KB

MD5
3a6f69ecc4b0744752283451b49147a9

SHA1
ffa66b1daa062220ebf68639a374f24f924a60d2

SHA256
22949ed85e66d19c8691e20ae79130490e1bc1ce97f98f7ef89216783b66575a

SHA512
c99a450a0aa8ca580664e1bfb59a0ddbd6fc3b0e14485604b94b9ce65470a38176b0889026965fb9c471d6b28913436ded62dd5ee17977863b83eadab7fad81d

Download Submit
\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exe
Filesize
98KB

MD5
76114abaeb8a77411d560762e93a6156

SHA1
53314096bb9a6a52271a3704d1d0efd167b9c5ec

SHA256
5f87c144c6c074fc4846dd305c89a3e777f5f7174616f96363b91ca37e9b92b4

SHA512
af3f712624dcfba098d47f3c3a2ed49d82d0beb70b6edb68e17c0466e104a1c0e2d4ac2b8f7ad800ee36d8d209e0107b3f350fabf63b03045cf6ead5191ceb40

Download Submit
\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exe
Filesize
83KB

MD5
15ec45c17d8afc555714938aabb365a5

SHA1
b2d500c2baf6e2dd6c50ffb66ff349ed9b815336

SHA256
a1b5b3284d406409ac59329ca76ac5a25dd07e250c39308c59dbcf71bd791016

SHA512
c9c36b79e8dce06500aa4ea41491242a136061274ebe9dd6cac0eb5925b7310c67cce5195169a9832df91feb31d7683d10e15b70cb0f920323640640a8632eec

Download Submit
\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exe
Filesize
59KB

MD5
e3ca4b5c5e173076ce7d6b621f410959

SHA1
cdf9c72371623e59c542580a36b0b5e6d60f2613

SHA256
ab1edfbdba76bfe249a6fca3ae79eb8779946414c2dfd52afa9b8f1d27b728de

SHA512
2852eec3cf050a370af047882eab6049e861575459da9dc2dfdd4feb50a12c09ebc3bc33eed3a306c9c04a9494f2b653c1b4326db009811ab0581e0bc60744f9

Download Submit
\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exe
Filesize
159KB

MD5
b1d6d66282771bdaee20f0295991140a

SHA1
f65c534725a4aa947285ecbb2acf3f5083803152

SHA256
9697901177242e9a450aae820687ddbbd13196b5876ec77cdcb663cfbadb0053

SHA512
af0bd80c0fdb1c336268c1bcdb8b0a05a588a1ded511669f6974b10e19752bed5305fda870a9a1e61be30db14228194f84ec8da74e9836eec3506d0629fe0900

Download Submit
memory/2520-0-0x0000000000800000-0x0000000000878000-memory.dmp

Filesize
480KB

Download
memory/2520-15-0x00000000028C0000-0x00000000028FD000-memory.dmp

Filesize
244KB

Download
memory/2520-10-0x00000000028C0000-0x00000000028FD000-memory.dmp

Filesize
244KB

Download
memory/2884-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2884-17-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing