Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 05:54
Static task
static1
Behavioral task
behavioral1
Sample
[Hentai JOI] MrsNuzuki Patreon 2023.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
[Hentai JOI] MrsNuzuki Patreon 2023.exe
Resource
win10v2004-20231215-en
General
-
Target
[Hentai JOI] MrsNuzuki Patreon 2023.exe
-
Size
11.5MB
-
MD5
9386af6fd41ad96b318f63b35ba418c7
-
SHA1
68763a50793e358faf7d089ebd27febdd07e3b77
-
SHA256
71ea59cbedf3c80b6e47bcd746463de8d82b650e0666183a3bd47bf1b2633378
-
SHA512
9344b70e176d9a892f22c5d192a714c19ec2beb6c6d997e72cc2fd8c7103cfeaa670e6f2fd234834ad18647dfbe9b31e12b49156821abf8391236a62261434f8
-
SSDEEP
12288:ytaCEOf6hozmO1LhZU2Pn5zvWKr5zaVTxOWQxBH+QWLoRrW4LbMQbKjVa:trOi70kLej
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
T3YLJIMS.exepid process 2056 T3YLJIMS.exe -
Loads dropped DLL 5 IoCs
Processes:
[Hentai JOI] MrsNuzuki Patreon 2023.exeWerFault.exepid process 1068 [Hentai JOI] MrsNuzuki Patreon 2023.exe 1068 [Hentai JOI] MrsNuzuki Patreon 2023.exe 2096 WerFault.exe 2096 WerFault.exe 2096 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2096 2056 WerFault.exe T3YLJIMS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
[Hentai JOI] MrsNuzuki Patreon 2023.exeT3YLJIMS.exedescription pid process target process PID 1068 wrote to memory of 2056 1068 [Hentai JOI] MrsNuzuki Patreon 2023.exe T3YLJIMS.exe PID 1068 wrote to memory of 2056 1068 [Hentai JOI] MrsNuzuki Patreon 2023.exe T3YLJIMS.exe PID 1068 wrote to memory of 2056 1068 [Hentai JOI] MrsNuzuki Patreon 2023.exe T3YLJIMS.exe PID 1068 wrote to memory of 2056 1068 [Hentai JOI] MrsNuzuki Patreon 2023.exe T3YLJIMS.exe PID 2056 wrote to memory of 2096 2056 T3YLJIMS.exe WerFault.exe PID 2056 wrote to memory of 2096 2056 T3YLJIMS.exe WerFault.exe PID 2056 wrote to memory of 2096 2056 T3YLJIMS.exe WerFault.exe PID 2056 wrote to memory of 2096 2056 T3YLJIMS.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\[Hentai JOI] MrsNuzuki Patreon 2023.exe"C:\Users\Admin\AppData\Local\Temp\[Hentai JOI] MrsNuzuki Patreon 2023.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 8483⤵
- Loads dropped DLL
- Program crash
PID:2096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exeFilesize
97KB
MD5f01befc15bb2e0a9f54e427731e13ec1
SHA1a0f32f1c63687fd678ac8ba9161cc345f809606f
SHA256d71f655ba364e807a234adf290ad48910c9bad749998ba512d72fca5777ce6a0
SHA5121648f12b2eed120e29e9fba1bc8a59ae8faa077336a33562de32fc5e5100d83bf574a858ba6f2aa62cce6aeb5c513c8dc3f69e2394bb6fc0618d1f07dcc2d9e9
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exeFilesize
113KB
MD5c138cc7d4791df2d9930f063dfaccdc8
SHA191baab622ac9dbaafff064c27281cf48ed6bee38
SHA256c4266efc851f47068fa6afda4726e88ef55ace22f222f71d80fef8abcc22b9a8
SHA512a572687fd1082c8601e481a51ac6bdd426cbc393789eee3a7a0a3996bff66dd15f3c98ec2826726239be6b66f6f81c07c17b2e030e3efd2131ac9718fcb5e91f
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exeFilesize
81KB
MD5e1a63920912a17d77ba4661d309b835f
SHA1500e7d02ec258ac0b82aabc49236f5e373173b61
SHA256ed054537934e1ed7698219315982213ae145985ecb1b40a0dc1a19b4108de7d0
SHA512c6ea5e0bb4f25b2a2e9d9b5eabeb2a03b7145c434df77f31fb2b23b86d1a717026cf868e8ee7a556a9aac3aaeffdae522e9b54411b750353ac433a4c194ede3c
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exeFilesize
159KB
MD5ccbede8d2869535347316a479f0b8095
SHA11dd0e7574972260c77ca90638950d83c7b00d8f2
SHA256afae663cab910a67e7fb519797ff385926b77ee59fa0e96e1853318146d2e179
SHA5129a0de846ced51215948a16300aec8aeb7cf0ef5c0005a3cb661fc27e85b5d25b3b3278e7c91fbedc9d0a1ec686fdcd8ff07f35b39931a7c28c8b2139dabf4456
-
memory/1068-0-0x00000000013A0000-0x0000000001416000-memory.dmpFilesize
472KB
-
memory/1068-1-0x0000000074D60000-0x000000007544E000-memory.dmpFilesize
6.9MB
-
memory/1068-2-0x0000000000B50000-0x0000000000B90000-memory.dmpFilesize
256KB
-
memory/1068-13-0x0000000000AB0000-0x0000000000AED000-memory.dmpFilesize
244KB
-
memory/1068-11-0x0000000000AB0000-0x0000000000AED000-memory.dmpFilesize
244KB
-
memory/1068-15-0x0000000074D60000-0x000000007544E000-memory.dmpFilesize
6.9MB
-
memory/2056-14-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB