marsstealer | 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48

General

Target

SENSIXDPANNEL.exe
Size

433KB
MD5

40cf5b7e5c505da78a7f66d2950effbf
SHA1

abf961c5b9fae57411a195a00b4c7093d2fe0bc4
SHA256

911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
SHA512

08cbfc073c2d0f63a9b2711a81dd30809cb87eb2310ffd5b2a582a1e9ca0ebd5956093e83453310cba25a403aa28bf7cfcb3725a017188d48e66cccccb190bc5
SSDEEP

12288:pyVG1u73Do/eGm5uRWlgfS7BCag7MJQIGhJNsx61V0wrY4FS9:IGS6WRN+JGxS

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

.exe

pid process

2300 .exe
Loads dropped DLL 5 IoCs

Processes:

SENSIXDPANNEL.exeWerFault.exe

pid process

1056 SENSIXDPANNEL.exe
1056 SENSIXDPANNEL.exe
3016 WerFault.exe
3016 WerFault.exe
3016 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3016 2300 WerFault.exe .exe

pid	process
2300	.exe

pid	process
1056	SENSIXDPANNEL.exe
1056	SENSIXDPANNEL.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe

pid	pid_target	process	target process
3016	2300	WerFault.exe	.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SENSIXDPANNEL.exe.exe

description	pid	process	target process
PID 1056 wrote to memory of 2300	1056	SENSIXDPANNEL.exe	.exe
PID 1056 wrote to memory of 2300	1056	SENSIXDPANNEL.exe	.exe
PID 1056 wrote to memory of 2300	1056	SENSIXDPANNEL.exe	.exe
PID 1056 wrote to memory of 2300	1056	SENSIXDPANNEL.exe	.exe
PID 2300 wrote to memory of 3016	2300	.exe	WerFault.exe
PID 2300 wrote to memory of 3016	2300	.exe	WerFault.exe
PID 2300 wrote to memory of 3016	2300	.exe	WerFault.exe
PID 2300 wrote to memory of 3016	2300	.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe
"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Roaming\Adobe\.exe
"C:\Users\Admin\AppData\Roaming\Adobe\.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 824
3⤵
- Loads dropped DLL
- Program crash
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\.exe
Filesize
84KB

MD5
9329efc2923f65682ad6d57cb0da28cf

SHA1
4b6b23350ff57a1abe80c16e1c313f08ebce5e77

SHA256
4f89a33f894ea92306c278b9eb22c05f885b34bb9c5b1aed4c132ae635cb9361

SHA512
6fb59cdb7b601b1eacbe9dc45a3d0604e719e9473bb717262e26eace38600c19b15583b41aa6f5c6d8090c13fef5cd0c554dfef36da25a25bfb12d98933c87a0

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\.exe
Filesize
63KB

MD5
7f75315b1d645e72867f5d83b990eab8

SHA1
cc9a0e6b249ad584aa43a17dbf88fe1f62a2eb1e

SHA256
31ef1e24f6b1f486263c27fb706417511ee336a73e7d1204f4aeaa7798da1fd4

SHA512
0d7639b4ca55c5c602451a6c53967416efcf3d777b930e7da7da810a093619e3490800cebc80d604d53d0d3bd05994d1c7c064e372be2798c88e252466dfc353

Download Submit
\Users\Admin\AppData\Roaming\Adobe\.exe
Filesize
132KB

MD5
9c7e90f4ef398c80944b3c61a10ab4cc

SHA1
50214ec16ded8d4c2bf325b10ca3527998f0a125

SHA256
89be043eb7050ad61cb923a4892dc3f6310ff0f7f9c64e73e6f8155e248291b9

SHA512
18428a6c3f8f04989280265dc9521513be4131e641653150e71ffc39e7f69d718779230a6c7e90cf2932e61903a5575812f27cef88d11ecaeb671c8b1c409a27

Download Submit
\Users\Admin\AppData\Roaming\Adobe\.exe
Filesize
75KB

MD5
85ad9cda197b8b2f8d60c0b478e4804c

SHA1
8b8770e95370753c3ea8a8a7447e2c6d7195410f

SHA256
45fd44f40aae10a76fef2de0c3b1638928b3e519f5b94b26de425864773efde8

SHA512
37e1f28e30d4088c04337f7b1832c56d563f7e8af4aa1868e1b888db58a215e5ae88ac8f45d7f6e5da609af9a8459da7daad4e0bf8562205f38330da72ccb040

Download Submit
\Users\Admin\AppData\Roaming\Adobe\.exe
Filesize
116KB

MD5
c9619677aa632f49be7e512f6d0e9b69

SHA1
ede7cb1e75980a85d9d01a97801dcedf4c900e4c

SHA256
54beb3a3e6d4f8b1a9405e3cc3bcfd4867a694a8eb909169ceeb63833370e2fc

SHA512
0656eed948b2c1e02b3c96d6c32f298fcfc8f50b5951cb578ef792502da55e1ade245f41c844973dce1c2c1cdc29269911e85bcfec872cc8af68cbdf5a029523

Download Submit
\Users\Admin\AppData\Roaming\Adobe\.exe
Filesize
48KB

MD5
b01fae57e9956ad948f6b30f3bacb4c6

SHA1
e08541551fc1f776603e7e188a490e5509a233dd

SHA256
ddf3cc060ba90aadf78ca3a708788e0cd594716a48a1ca4f093d5de75218ab0e

SHA512
c5a42fb0ebd29c9ace1f78d894fce514e22da89a20bc4edf52727e9eccdb63f7ea22a70ce6b0041f9a89206de767622de2a01a3b468db2a565f6273733542600

Download Submit
\Users\Admin\AppData\Roaming\Adobe\.exe
Filesize
83KB

MD5
3c57e9525cea310d86bbad48e3277457

SHA1
c48bc75a699d0d9bd9665cb6aad5f5678224e576

SHA256
de684730d374ea8eadebeb2dacf0b9eb7e08faf00bf6a2fc6ba00d4f79226faf

SHA512
21140c9278f6038748197a8c067b50ca0ff864c193205f1c4164bc4539f5608679f7e48604d8f7c0bf0e6a0b5b57f6f9bf23ebbdbab3970aaa210f4bc0a80f90

Download Submit
memory/1056-14-0x00000000005A0000-0x00000000005DD000-memory.dmp

Filesize
244KB

Download
memory/1056-12-0x00000000005A0000-0x00000000005DD000-memory.dmp

Filesize
244KB

Download
memory/1056-13-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/1056-0-0x0000000000170000-0x00000000001E2000-memory.dmp

Filesize
456KB

Download
memory/1056-2-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/1056-1-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing