Malware Analysis Report

2024-10-19 07:06

Sample ID 231223-bxrcradhdl
Target SENSIXDPANNEL.exe
SHA256 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
Tags
marsstealer default stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48

Threat Level: Known bad

The file SENSIXDPANNEL.exe was found to be: Known bad.

Malicious Activity Summary

marsstealer default stealer

Mars Stealer

Unsigned PE

Enumerates physical storage devices

Program crash

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-23 01:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-23 01:31

Reported

2023-12-23 01:40

Platform

win7-20231215-en

Max time kernel

4s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

Signatures

Mars Stealer

stealer marsstealer

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 828

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.moscow-post.com udp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.su udp
RU 185.71.67.60:80 www.moscow-post.su tcp

Files

memory/2184-0-0x0000000000050000-0x00000000000C2000-memory.dmp

memory/2184-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2184-2-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe

MD5 1495c5521e75f7235bf1715e32e7fb19
SHA1 fdfc9293a952b7c6797e4433bcb52e26bbe3bbc4
SHA256 ebcd40526d25ea6600182a546fe139a46bc7ed44b58ac05ffd4902386907eee6
SHA512 8303dfb4019a730c6b16e5025aaf944c0fd5877b84f9356195d0855ea0a63ee5d176534e7d9372502772d99077d971e5f78487ae9aa7181a38c21374a6fce9c6

memory/2184-12-0x0000000001EF0000-0x0000000001F2D000-memory.dmp

memory/2416-13-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe

MD5 dbe8d41f1fe8543a6ffde86a05caf62a
SHA1 6b18f94713e68fa0eaaa950eee3b50e582119f90
SHA256 70638070d2a7c70a4e454524234f27a46f44eb1449edfddd99fad23fd00a5056
SHA512 0858c532830d198991d4ce5c02747c35c3d78c31902e355b734fd71c52f732fea1c2eed671a4fd38410d550b6f50ce0d300e36f4a7e52887ad6d5fe05787efd9

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe

MD5 45ba92f9204b213b4cd030f533161239
SHA1 4f5358a5a43fb93ce3213310cad8f557997278fa
SHA256 a2124651bc70ffdba771d55a30fb97351d312487e40f9af90cce41e0975241c2
SHA512 c3bd5a0ccce37e9a9375c6191e07b2f53f2ec66310dd33625731008959266fe3650ce6dcd5c9c287b02b4fbfee7a490424a3cb5666268d8a8ee200c4dbc06a8e

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe

MD5 8c8036e9c04c7e42d89c6998d8f61c6a
SHA1 c3250296ef600e94cf6bc78d8e480d2612f04dc4
SHA256 8ce843ed80779311e49896473c0080be7362175fd59d451c23567cba4896fa49
SHA512 ae20fc2adf3255b6f53763c380328d971b458e791cde4d0f24ae4cd3139338c4b5553d5344ede5c542a73d3669e63e527f095e5e381276f562d5d39cc504cc99

memory/2184-14-0x00000000747B0000-0x0000000074E9E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe

MD5 9d6f9e4dc4e290d142af16efaab065e6
SHA1 c94cad7c2ea1d10a0ec21445181633d598cf15c9
SHA256 cdff71482c5a1bf8d90f51e0144c59ed8d40ece41f76eefa748f437aac3e0f4b
SHA512 858fab2b2d6b5c5a4d6380826cf9fdb74e810de4070b663f3197fc66b14cdede6e96dc1ad035069a6d0938fa6d3c4b02ebb143e53aecbac9af93badf6d60dfce

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe

MD5 68e10056560c6f8220ce866212e2c690
SHA1 43ee64451b88ee8895d6aeeb5e31c0e65ed0c1d8
SHA256 aab8951659d05520a6c0b3ca1453331b7f2c783ea9ff287be4362a90adf42334
SHA512 07d22ac4c18e67d15f33d754dae1f2695b04b6e9430026669918fe2f9ca7bb9b680a7a42d6ca7f5d501097ca25dc474439ed763fd2f2d93489ed73ad90761f63

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe

MD5 779bc23c1e13c1b409d464bb986720a0
SHA1 c8e81a0fdaca96a8566ff9ea2614d42ccc701b07
SHA256 4c0e6994cedf121de14548a4bebb88434d1409dfff4264dbfc0712653f742a95
SHA512 bb5e5c3c46d72156b8f57acfbcfa76da0bac70a9f135811698c2694358a30a5a90d11226fec96c0d869523346c1a9167054b3b94d39b08bda6e0045abb0bfbff

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-23 01:31

Reported

2023-12-23 01:41

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

Signatures

Mars Stealer

stealer marsstealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Adobe\NY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

C:\Users\Admin\AppData\Roaming\Adobe\NY.exe

"C:\Users\Admin\AppData\Roaming\Adobe\NY.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1816 -ip 1816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1368

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
RU 185.71.67.60:80 www.moscow-post.su tcp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp

Files

memory/3332-1-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/3332-2-0x0000000005500000-0x0000000005510000-memory.dmp

memory/3332-0-0x0000000000B80000-0x0000000000BF2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\NY.exe

MD5 9fe9ad9271d89f6893111cad105803c9
SHA1 4032d9c8d57580c6f78c389b90a78719b3257086
SHA256 c547dbfb49ff140f95c960d1bb14979f4bddaf83fd2fae8d941aebe377f2ef9e
SHA512 05aaf652625da4be1914b23f00b94998c1546b45caaa1f71ba3f504e717af34062fd6f3a5487e36511e90a9dc2077babcedf43a05a4b8ad08d12e7483f0120ad

memory/3332-13-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/1816-12-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\NY.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Adobe\NY.exe

MD5 c99b297ae587a31fec6551ee74ac9029
SHA1 49544a1e76e7a585c968a9637f18035c1a83c59c
SHA256 428d0a7f6f03f5fdc2ba4754cede4afad4646b06c4fd6f24dcf9ff38f188c4e8
SHA512 5b1dd0c6a65376dd0dbc2a848580c9b4c06ff52a50b9c5109e695766de7b1ff1da74a75f05b24aae4e2947c49493e4dbb92ea36b7286b8c1e954c0bda176d0cd

memory/1816-15-0x0000000000400000-0x000000000043D000-memory.dmp