Malware Analysis Report

2024-10-19 07:06

Sample ID 231223-byy4zsdhdr
Target SENSIXDPANNEL.exe
SHA256 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
Tags
marsstealer default stealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48

Threat Level: Known bad

The file SENSIXDPANNEL.exe was found to be: Known bad.

Malicious Activity Summary

marsstealer default stealer spyware

Mars Stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-23 01:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-23 01:33

Reported

2023-12-23 01:36

Platform

win10v2004-20231215-en

Max time kernel

1s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

Signatures

Mars Stealer

stealer marsstealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Adobe\L.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

C:\Users\Admin\AppData\Roaming\Adobe\L.exe

"C:\Users\Admin\AppData\Roaming\Adobe\L.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4844 -ip 4844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1368

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.moscow-post.com udp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 www.moscow-post.su udp
US 8.8.8.8:53 60.67.71.185.in-addr.arpa udp
RU 185.71.67.60:80 www.moscow-post.su tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp

Files

memory/2116-1-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/2116-2-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/2116-0-0x0000000000170000-0x00000000001E2000-memory.dmp

memory/4844-12-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2116-13-0x0000000074930000-0x00000000750E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\L.exe

MD5 3b3d7a4500761ca84d9d060c3b77437d
SHA1 74d7fba2cfdbe34191c2fe1aa36b7ed3995279cc
SHA256 bd4650300f929ea8c6442c3574a6629bc86a3edb1a39778559328894bca2be34
SHA512 16f8a79214c167aa063e081083843d5af0c71281fd1b047e87e061d1b864f919c0b51c65b165f6f293eb0839023f7befee3413143c84d82f433efe145350dfae

C:\Users\Admin\AppData\Roaming\Adobe\L.exe

MD5 c5d74382ca1e73f71acb2a84b5c8e57d
SHA1 21d83e38b948c9e172fb2c46df2837f1885053b9
SHA256 7dbe7ad3e376025592e7e3c1bfe032c0c2e8ef9cc5012e3dc571ad3fd525e06c
SHA512 5d6497d93d719d753f17cb7e0b26216dcea90270d01b314324374a5302d06c483f04541316cec0d9305b03a5fd3e0048ea7d4dcb3478dfec51baf1cf3273a437

C:\Users\Admin\AppData\Roaming\Adobe\L.exe

MD5 779bc23c1e13c1b409d464bb986720a0
SHA1 c8e81a0fdaca96a8566ff9ea2614d42ccc701b07
SHA256 4c0e6994cedf121de14548a4bebb88434d1409dfff4264dbfc0712653f742a95
SHA512 bb5e5c3c46d72156b8f57acfbcfa76da0bac70a9f135811698c2694358a30a5a90d11226fec96c0d869523346c1a9167054b3b94d39b08bda6e0045abb0bfbff

memory/4844-15-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-23 01:33

Reported

2023-12-23 01:36

Platform

win7-20231129-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Identities\Q6O.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Identities\Q6O.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe

"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"

C:\Users\Admin\AppData\Roaming\Identities\Q6O.exe

"C:\Users\Admin\AppData\Roaming\Identities\Q6O.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 652

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.moscow-post.com udp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.su udp
RU 185.71.67.60:80 www.moscow-post.su tcp

Files

memory/2380-0-0x00000000003A0000-0x0000000000412000-memory.dmp

memory/2380-1-0x0000000074470000-0x0000000074B5E000-memory.dmp

memory/2380-2-0x00000000002E0000-0x0000000000320000-memory.dmp

C:\Users\Admin\AppData\Roaming\Identities\Q6O.exe

MD5 53eb0bcc17ccf65660a7266e3287ebd6
SHA1 c4f2201da904be4882a104d6a291f70aebefb0a6
SHA256 7a391340b6677f74bcf896b5cc16a470543e2a384049df47949038df5e770df1
SHA512 2c6e157e34721fdc1fb17db73423afbcda9c9c45d61376a220c353a9af73c8aa7237525b4a15d55864762fc07868ab2f71c801a87d0a2cd60cae0fb49c4fbbaa

memory/2380-14-0x0000000074470000-0x0000000074B5E000-memory.dmp

memory/2380-13-0x0000000000830000-0x000000000086D000-memory.dmp

memory/2380-11-0x0000000000830000-0x000000000086D000-memory.dmp

\Users\Admin\AppData\Roaming\Identities\Q6O.exe

MD5 8046876e5ddd312a8db0ee0c2f32a7c2
SHA1 23cd68da79a408a8e5ea7563aa2b6a1ce3292adc
SHA256 6a888025e13e27cad83d36fbefa150c60d1b72ac446679ab0d60c10a5f2fb56a
SHA512 6180cd34a5f85d5ed7feb283eab1e24058ca6626eb28331b480d74b6c3a7d59c361a2dd8a87a955bbecf4cba03c7ebc6739b80c9e3d2aaede76df270870e57df

\Users\Admin\AppData\Roaming\Identities\Q6O.exe

MD5 7275bc46df8eb2f63511eb21818eb1a2
SHA1 8df17cbe3bce27d2f03f881f05c4647ef429d4db
SHA256 34f96b9591b0f1eace40b64eeebd3cfdb78e28b40fbfb8ad43bcab2be8a89c6e
SHA512 3431049c82907427635e2b8ec7fdffc0430b495cfe1896b4e1c74f9720299aca3c4bbdb8dcdaa118c327d1b635029affa5050d7a264fd59ddf89e69b35b3e971