marsstealer | b7d757263aac8d89154f7962550b795cca99e2df080d8bfdfbc3582b1a0d8d43

General

Target

UndertaleTrainer.exe
Size

3.8MB
MD5

8669e8f71fd06872bbc1d2399c33d7b1
SHA1

6cdcbc65e5b4d30c3e2e9e3e2c7ad4ed8373bcc5
SHA256

b7d757263aac8d89154f7962550b795cca99e2df080d8bfdfbc3582b1a0d8d43
SHA512

b353fb22d846994f6c09258cccf63f92ae9db14e4dc5965bc67c7c539bdc8f51e599c7bb70a6668d8d6aeacb1551e333ae70630e1ac58f21c49032052dffa847
SSDEEP

12288:zNS9x1JXkDAoqsTAoFhb6lRZu4W1K8waHyu2Um4ytvqMNVw2LW86B7SiU:zeAzW4f

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

PVZQIE.exe

pid process

2784 PVZQIE.exe
Loads dropped DLL 5 IoCs

Processes:

UndertaleTrainer.exeWerFault.exe

pid process

2948 UndertaleTrainer.exe
2948 UndertaleTrainer.exe
1680 WerFault.exe
1680 WerFault.exe
1680 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1680 2784 WerFault.exe PVZQIE.exe
Modifies registry class 1 IoCs

Processes:

PVZQIE.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\MuiCache PVZQIE.exe

pid	process
2784	PVZQIE.exe

pid	process
2948	UndertaleTrainer.exe
2948	UndertaleTrainer.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe

pid	pid_target	process	target process
1680	2784	WerFault.exe	PVZQIE.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\MuiCache	PVZQIE.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

UndertaleTrainer.exePVZQIE.exe

description	pid	process	target process
PID 2948 wrote to memory of 2784	2948	UndertaleTrainer.exe	PVZQIE.exe
PID 2948 wrote to memory of 2784	2948	UndertaleTrainer.exe	PVZQIE.exe
PID 2948 wrote to memory of 2784	2948	UndertaleTrainer.exe	PVZQIE.exe
PID 2948 wrote to memory of 2784	2948	UndertaleTrainer.exe	PVZQIE.exe
PID 2784 wrote to memory of 1680	2784	PVZQIE.exe	WerFault.exe
PID 2784 wrote to memory of 1680	2784	PVZQIE.exe	WerFault.exe
PID 2784 wrote to memory of 1680	2784	PVZQIE.exe	WerFault.exe
PID 2784 wrote to memory of 1680	2784	PVZQIE.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\UndertaleTrainer.exe
"C:\Users\Admin\AppData\Local\Temp\UndertaleTrainer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\Low\PVZQIE.exe
"C:\Users\Admin\AppData\Local\Temp\Low\PVZQIE.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 564
3⤵
- Loads dropped DLL
- Program crash
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
02f496531fe2a8531f1f3bbcc4ca83dd

SHA1
d0f3f553e26fe892d9f2959f261cbc666726edf6

SHA256
ef0060913b0b9889c4f29c8492a9fbad10b56dde021dff49407a2e1d38bb246a

SHA512
9c7c292b4a05cfec89e34597f3f216aee0eb6539fec4edd561919e1148e37e9228291244005e43077daa36d1392bba60664294dc381965a8518c22e446ac3767

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\TarC395.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\PVZQIE.exe
Filesize
159KB

MD5
b13a4bddff058d6c9c44d62ecf492563

SHA1
dcf173cf7a9ae1c9b28c92a13bca0b619dee3511

SHA256
ff90f644a5d0af130cf8d61d0908447a8953d3be58c0ecd8b23f03534df30e4c

SHA512
7c8611fd762dbd1b77788dc0950323adf751a1a881b855c8b8cf132f4b3515479c56789b1360a028d5704426f37fb4610effb79824c0bc0ea85f2a3d7c638a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\PVZQIE.exe
Filesize
92KB

MD5
8cc76969b76e6cd21e2962bf4ec38834

SHA1
00f9793e7b740c91b043a5bee65a2e62cf7611bf

SHA256
b8acaa0830c9799d74fd1a78ce4e4051f2f85ffb1298f9d20eda63d21794173c

SHA512
b9c0f88766977249a3f0fc56c22953a314210d4c7e7ef209bd0c97c0b2e1badcb8c3d6e4b5cad6d7626d4b7c65380456b2a3d549dff7766f8e11f09bf0d1d87f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\PVZQIE.exe
Filesize
140KB

MD5
26a438749e676718c9213208686053f1

SHA1
e7916ca29fb1fdf459f8ec3a5b017c57cf168218

SHA256
62297c5b3b1a5cbea2177daa053eb3594fd37357f3aa80b177b472cf9c49b8ff

SHA512
98a4d1a1c67a59b9886c57bf4d69066fc388ecf6d18b2e3617767f625b4cf38f46eebd632b87b944a3bb53c8902d8a19d43266450a6d45f8b84d29a060028dd8

Download Submit
memory/2784-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2948-0-0x0000000000ED0000-0x0000000000F42000-memory.dmp

Filesize
456KB

Download
memory/2948-1-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-13-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-11-0x0000000000E60000-0x0000000000E9D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing