Malware Analysis Report

2024-10-19 07:06

Sample ID 231225-bqvrlaadf4
Target 40cf5b7e5c505da78a7f66d2950effbf.bin
SHA256 2036928122f63d2ce88ba94aa48f0e2e42af769d2731118e441b568fb7866182
Tags
marsstealer default spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2036928122f63d2ce88ba94aa48f0e2e42af769d2731118e441b568fb7866182

Threat Level: Known bad

The file 40cf5b7e5c505da78a7f66d2950effbf.bin was found to be: Known bad.

Malicious Activity Summary

marsstealer default spyware stealer

Mars Stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-25 01:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 01:21

Reported

2023-12-25 01:24

Platform

win7-20231215-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe"

Signatures

Mars Stealer

stealer marsstealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Adobe\.exe

Processes

C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe

"C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe"

C:\Users\Admin\AppData\Roaming\Adobe\.exe

"C:\Users\Admin\AppData\Roaming\Adobe\.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 800

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.moscow-post.com udp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.su udp
RU 185.71.67.60:80 www.moscow-post.su tcp

Files

memory/2184-0-0x00000000000F0000-0x0000000000162000-memory.dmp

memory/2184-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2184-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp

\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 53eb0bcc17ccf65660a7266e3287ebd6
SHA1 c4f2201da904be4882a104d6a291f70aebefb0a6
SHA256 7a391340b6677f74bcf896b5cc16a470543e2a384049df47949038df5e770df1
SHA512 2c6e157e34721fdc1fb17db73423afbcda9c9c45d61376a220c353a9af73c8aa7237525b4a15d55864762fc07868ab2f71c801a87d0a2cd60cae0fb49c4fbbaa

memory/2184-7-0x0000000000850000-0x000000000088D000-memory.dmp

memory/2184-13-0x0000000000850000-0x000000000088D000-memory.dmp

memory/868-14-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2184-15-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 01:21

Reported

2023-12-25 01:24

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe"

Signatures

Mars Stealer

stealer marsstealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe

"C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1412

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 www.moscow-post.com udp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.su udp
US 8.8.8.8:53 60.67.71.185.in-addr.arpa udp
RU 185.71.67.60:80 www.moscow-post.su tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
GB 96.17.178.174:80 tcp

Files

memory/1172-0-0x0000000000800000-0x0000000000872000-memory.dmp

memory/1172-1-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1172-2-0x00000000052F0000-0x0000000005300000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe

MD5 53eb0bcc17ccf65660a7266e3287ebd6
SHA1 c4f2201da904be4882a104d6a291f70aebefb0a6
SHA256 7a391340b6677f74bcf896b5cc16a470543e2a384049df47949038df5e770df1
SHA512 2c6e157e34721fdc1fb17db73423afbcda9c9c45d61376a220c353a9af73c8aa7237525b4a15d55864762fc07868ab2f71c801a87d0a2cd60cae0fb49c4fbbaa

memory/1480-10-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1172-13-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1480-15-0x0000000000400000-0x000000000043D000-memory.dmp