Malware Analysis Report

2024-10-19 07:06

Sample ID 231223-bxdfwsgcg6
Target SENSIXDPANNEL.exe
SHA256 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
Tags
marsstealer default spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48

Threat Level: Known bad

The file SENSIXDPANNEL.exe was found to be: Known bad.

Malicious Activity Summary

marsstealer default spyware stealer

Mars Stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-23 01:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-23 01:31

Reported

2023-12-23 01:33

Platform

win7-20231215-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

Signatures

Mars Stealer

stealer marsstealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Adobe\.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

C:\Users\Admin\AppData\Roaming\Adobe\.exe

"C:\Users\Admin\AppData\Roaming\Adobe\.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 824

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.moscow-post.com udp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.su udp
RU 185.71.67.60:80 www.moscow-post.su tcp

Files

memory/1056-0-0x0000000000170000-0x00000000001E2000-memory.dmp

memory/1056-1-0x0000000074BF0000-0x00000000752DE000-memory.dmp

memory/1056-2-0x0000000004B90000-0x0000000004BD0000-memory.dmp

\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 b01fae57e9956ad948f6b30f3bacb4c6
SHA1 e08541551fc1f776603e7e188a490e5509a233dd
SHA256 ddf3cc060ba90aadf78ca3a708788e0cd594716a48a1ca4f093d5de75218ab0e
SHA512 c5a42fb0ebd29c9ace1f78d894fce514e22da89a20bc4edf52727e9eccdb63f7ea22a70ce6b0041f9a89206de767622de2a01a3b468db2a565f6273733542600

memory/1056-13-0x0000000074BF0000-0x00000000752DE000-memory.dmp

memory/2300-15-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1056-14-0x00000000005A0000-0x00000000005DD000-memory.dmp

memory/1056-12-0x00000000005A0000-0x00000000005DD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 7f75315b1d645e72867f5d83b990eab8
SHA1 cc9a0e6b249ad584aa43a17dbf88fe1f62a2eb1e
SHA256 31ef1e24f6b1f486263c27fb706417511ee336a73e7d1204f4aeaa7798da1fd4
SHA512 0d7639b4ca55c5c602451a6c53967416efcf3d777b930e7da7da810a093619e3490800cebc80d604d53d0d3bd05994d1c7c064e372be2798c88e252466dfc353

C:\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 9329efc2923f65682ad6d57cb0da28cf
SHA1 4b6b23350ff57a1abe80c16e1c313f08ebce5e77
SHA256 4f89a33f894ea92306c278b9eb22c05f885b34bb9c5b1aed4c132ae635cb9361
SHA512 6fb59cdb7b601b1eacbe9dc45a3d0604e719e9473bb717262e26eace38600c19b15583b41aa6f5c6d8090c13fef5cd0c554dfef36da25a25bfb12d98933c87a0

\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 3c57e9525cea310d86bbad48e3277457
SHA1 c48bc75a699d0d9bd9665cb6aad5f5678224e576
SHA256 de684730d374ea8eadebeb2dacf0b9eb7e08faf00bf6a2fc6ba00d4f79226faf
SHA512 21140c9278f6038748197a8c067b50ca0ff864c193205f1c4164bc4539f5608679f7e48604d8f7c0bf0e6a0b5b57f6f9bf23ebbdbab3970aaa210f4bc0a80f90

\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 85ad9cda197b8b2f8d60c0b478e4804c
SHA1 8b8770e95370753c3ea8a8a7447e2c6d7195410f
SHA256 45fd44f40aae10a76fef2de0c3b1638928b3e519f5b94b26de425864773efde8
SHA512 37e1f28e30d4088c04337f7b1832c56d563f7e8af4aa1868e1b888db58a215e5ae88ac8f45d7f6e5da609af9a8459da7daad4e0bf8562205f38330da72ccb040

\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 c9619677aa632f49be7e512f6d0e9b69
SHA1 ede7cb1e75980a85d9d01a97801dcedf4c900e4c
SHA256 54beb3a3e6d4f8b1a9405e3cc3bcfd4867a694a8eb909169ceeb63833370e2fc
SHA512 0656eed948b2c1e02b3c96d6c32f298fcfc8f50b5951cb578ef792502da55e1ade245f41c844973dce1c2c1cdc29269911e85bcfec872cc8af68cbdf5a029523

\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 9c7e90f4ef398c80944b3c61a10ab4cc
SHA1 50214ec16ded8d4c2bf325b10ca3527998f0a125
SHA256 89be043eb7050ad61cb923a4892dc3f6310ff0f7f9c64e73e6f8155e248291b9
SHA512 18428a6c3f8f04989280265dc9521513be4131e641653150e71ffc39e7f69d718779230a6c7e90cf2932e61903a5575812f27cef88d11ecaeb671c8b1c409a27

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-23 01:31

Reported

2023-12-23 01:33

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
IE 20.223.36.55:443 tcp
IE 20.223.36.55:443 tcp
IE 20.223.36.55:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 88.221.135.211:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

memory/2404-0-0x0000000000AB0000-0x0000000000B22000-memory.dmp

memory/2404-1-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/2404-2-0x0000000005540000-0x0000000005550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Low\FJS03J.exe

MD5 8bbc9791cb2a5b186ad6839577813f66
SHA1 cbed80e6842ec8eb6a901a41b628f436a24231bf
SHA256 a4cce6ce384422d18d48738a8b2b84c93424214484e1b01a454834f52be905ee
SHA512 7ec4df4dcae21c57e4a990d238de43676732f12164b6f4db6680c2425c1b49a2cc509153abd9f332c00e1a0eb57bcbe33b75137e06d779845a4256e9ef541453

memory/2404-8-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/2404-9-0x0000000005540000-0x0000000005550000-memory.dmp