marsstealer | 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48

General

Target

SENSIXDPANNEL.exe
Size

433KB
MD5

40cf5b7e5c505da78a7f66d2950effbf
SHA1

abf961c5b9fae57411a195a00b4c7093d2fe0bc4
SHA256

911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
SHA512

08cbfc073c2d0f63a9b2711a81dd30809cb87eb2310ffd5b2a582a1e9ca0ebd5956093e83453310cba25a403aa28bf7cfcb3725a017188d48e66cccccb190bc5
SSDEEP

12288:pyVG1u73Do/eGm5uRWlgfS7BCag7MJQIGhJNsx61V0wrY4FS9:IGS6WRN+JGxS

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2752 2416 WerFault.exe PILYWFC.exe

pid	pid_target	process	target process
2752	2416	WerFault.exe	PILYWFC.exe

C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe
"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"
1⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe"
2⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 828
3⤵
- Program crash
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
Filesize
65KB

MD5
dbe8d41f1fe8543a6ffde86a05caf62a

SHA1
6b18f94713e68fa0eaaa950eee3b50e582119f90

SHA256
70638070d2a7c70a4e454524234f27a46f44eb1449edfddd99fad23fd00a5056

SHA512
0858c532830d198991d4ce5c02747c35c3d78c31902e355b734fd71c52f732fea1c2eed671a4fd38410d550b6f50ce0d300e36f4a7e52887ad6d5fe05787efd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
Filesize
45KB

MD5
1495c5521e75f7235bf1715e32e7fb19

SHA1
fdfc9293a952b7c6797e4433bcb52e26bbe3bbc4

SHA256
ebcd40526d25ea6600182a546fe139a46bc7ed44b58ac05ffd4902386907eee6

SHA512
8303dfb4019a730c6b16e5025aaf944c0fd5877b84f9356195d0855ea0a63ee5d176534e7d9372502772d99077d971e5f78487ae9aa7181a38c21374a6fce9c6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
Filesize
45KB

MD5
68e10056560c6f8220ce866212e2c690

SHA1
43ee64451b88ee8895d6aeeb5e31c0e65ed0c1d8

SHA256
aab8951659d05520a6c0b3ca1453331b7f2c783ea9ff287be4362a90adf42334

SHA512
07d22ac4c18e67d15f33d754dae1f2695b04b6e9430026669918fe2f9ca7bb9b680a7a42d6ca7f5d501097ca25dc474439ed763fd2f2d93489ed73ad90761f63

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
Filesize
76KB

MD5
9d6f9e4dc4e290d142af16efaab065e6

SHA1
c94cad7c2ea1d10a0ec21445181633d598cf15c9

SHA256
cdff71482c5a1bf8d90f51e0144c59ed8d40ece41f76eefa748f437aac3e0f4b

SHA512
858fab2b2d6b5c5a4d6380826cf9fdb74e810de4070b663f3197fc66b14cdede6e96dc1ad035069a6d0938fa6d3c4b02ebb143e53aecbac9af93badf6d60dfce

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
Filesize
100KB

MD5
779bc23c1e13c1b409d464bb986720a0

SHA1
c8e81a0fdaca96a8566ff9ea2614d42ccc701b07

SHA256
4c0e6994cedf121de14548a4bebb88434d1409dfff4264dbfc0712653f742a95

SHA512
bb5e5c3c46d72156b8f57acfbcfa76da0bac70a9f135811698c2694358a30a5a90d11226fec96c0d869523346c1a9167054b3b94d39b08bda6e0045abb0bfbff

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
Filesize
1KB

MD5
8c8036e9c04c7e42d89c6998d8f61c6a

SHA1
c3250296ef600e94cf6bc78d8e480d2612f04dc4

SHA256
8ce843ed80779311e49896473c0080be7362175fd59d451c23567cba4896fa49

SHA512
ae20fc2adf3255b6f53763c380328d971b458e791cde4d0f24ae4cd3139338c4b5553d5344ede5c542a73d3669e63e527f095e5e381276f562d5d39cc504cc99

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
Filesize
7KB

MD5
45ba92f9204b213b4cd030f533161239

SHA1
4f5358a5a43fb93ce3213310cad8f557997278fa

SHA256
a2124651bc70ffdba771d55a30fb97351d312487e40f9af90cce41e0975241c2

SHA512
c3bd5a0ccce37e9a9375c6191e07b2f53f2ec66310dd33625731008959266fe3650ce6dcd5c9c287b02b4fbfee7a490424a3cb5666268d8a8ee200c4dbc06a8e

Download Submit
memory/2184-2-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

Filesize
256KB

Download
memory/2184-0-0x0000000000050000-0x00000000000C2000-memory.dmp

Filesize
456KB

Download
memory/2184-12-0x0000000001EF0000-0x0000000001F2D000-memory.dmp

Filesize
244KB

Download
memory/2184-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-14-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing