marsstealer | 21a174a42902e4e830e224ea8943c76f1a0730edafa280a99b09b5597c96af95

General

Target

ARK_Trainer_v0.9.9.9.exe
Size

8.7MB
MD5

185eb9ebbb379bf2b5dd37e5ed92eee1
SHA1

d9da98bcb2259cb1da248267d1568c3cec591fae
SHA256

21a174a42902e4e830e224ea8943c76f1a0730edafa280a99b09b5597c96af95
SHA512

45e9cbefef733d17c807e7f316f8be3f464c64008356eaa198802845f450b94f09f8cd2a529941ac57f4a78d5e5c98779d0900d23840ed865859e065ad1a56cc
SSDEEP

12288:FSooBq+S++WsHX+sFICSPSrmjwoCah2mVZ6B7AnebCaLvi4mWY:NYN+SPYK9neSW

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

IWLVPUQF6KMPJ.exe

pid process

3000 IWLVPUQF6KMPJ.exe
Loads dropped DLL 5 IoCs

Processes:

ARK_Trainer_v0.9.9.9.exeWerFault.exe

pid process

1752 ARK_Trainer_v0.9.9.9.exe
1752 ARK_Trainer_v0.9.9.9.exe
2468 WerFault.exe
2468 WerFault.exe
2468 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2468 3000 WerFault.exe IWLVPUQF6KMPJ.exe

pid	process
3000	IWLVPUQF6KMPJ.exe

pid	process
1752	ARK_Trainer_v0.9.9.9.exe
1752	ARK_Trainer_v0.9.9.9.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

pid	pid_target	process	target process
2468	3000	WerFault.exe	IWLVPUQF6KMPJ.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ARK_Trainer_v0.9.9.9.exeIWLVPUQF6KMPJ.exe

description	pid	process	target process
PID 1752 wrote to memory of 3000	1752	ARK_Trainer_v0.9.9.9.exe	IWLVPUQF6KMPJ.exe
PID 1752 wrote to memory of 3000	1752	ARK_Trainer_v0.9.9.9.exe	IWLVPUQF6KMPJ.exe
PID 1752 wrote to memory of 3000	1752	ARK_Trainer_v0.9.9.9.exe	IWLVPUQF6KMPJ.exe
PID 1752 wrote to memory of 3000	1752	ARK_Trainer_v0.9.9.9.exe	IWLVPUQF6KMPJ.exe
PID 3000 wrote to memory of 2468	3000	IWLVPUQF6KMPJ.exe	WerFault.exe
PID 3000 wrote to memory of 2468	3000	IWLVPUQF6KMPJ.exe	WerFault.exe
PID 3000 wrote to memory of 2468	3000	IWLVPUQF6KMPJ.exe	WerFault.exe
PID 3000 wrote to memory of 2468	3000	IWLVPUQF6KMPJ.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ARK_Trainer_v0.9.9.9.exe
"C:\Users\Admin\AppData\Local\Temp\ARK_Trainer_v0.9.9.9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\ProgramData\Start Menu\IWLVPUQF6KMPJ.exe
"C:\ProgramData\Start Menu\IWLVPUQF6KMPJ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 804
3⤵
- Loads dropped DLL
- Program crash
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\IWLVPUQF6KMPJ.exe
Filesize
17KB

MD5
249d7643798c617e309e8c71e3a95eee

SHA1
edd1c277ad7622af6fc287d80cb094811df39cbc

SHA256
3aaf4a21759c804747aa2723f263c2c1766d155064e1dbbcf2a912c23781ff09

SHA512
934a29d5a69348f7371e19a6d80348b7f4e9fd2c76d06b40ae3c82eb6bf5fcf7da895a826ed150d64d9ae27b1b9c1d2193a68703983d929c6381526085667f81

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\IWLVPUQF6KMPJ.exe
Filesize
59KB

MD5
5041d4345a924b71f9c12773218df4c5

SHA1
ebb0069cb966d467e200b46e5e22c6f7cf77fb67

SHA256
e265be835410c7af1d86f0a97b926a1feaefc3b9c72ee8414fbbafa7b12ab4e1

SHA512
273f45d2594ae615b9b155b6adc78f1984aa602af0f84d721fd8b3b4852aadd310e2bb8964d514bc451e8b92116c044cb3de15a1c0c073fbd915f3a08f9bd229

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\IWLVPUQF6KMPJ.exe
Filesize
159KB

MD5
80ffae827667bd2a86cc1d1b17745ba3

SHA1
dae012b46c61ce189319b7d04a7d405db3f733f2

SHA256
dd9285cabf5ff86f34600c4b947c5cb2d442fed6391b14b52c6f0c94c8fff276

SHA512
4ac4ecbd086bd340879676f2c7d3d83b684f0c3ba688dc9a289910c531b1d90ad67c34fc799c51a65c1339d52533aacaed117eedd847fa024232b882908c9442

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\IWLVPUQF6KMPJ.exe
Filesize
25KB

MD5
2f8f1d086fd6bfb63a2281df5ae3220f

SHA1
6e2ea45bc04b74addda0cae668005d52c58fa4fd

SHA256
128cb13ec879ef14d50a35bfc0b4e31dea4cf7230f9a6c9254ac5db5ce502305

SHA512
09377493356112275600e522d5fa10f76ba5b3f75588625a6b3c158155de24d660c5785bb052ec545f69bb2cccb145c933352da2dd5e1772b9ab89d82c77d4d2

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\IWLVPUQF6KMPJ.exe
Filesize
23KB

MD5
ab81b273d009a664727cfdc941c8e67a

SHA1
ebff03cb364fa420a5d69b2e4aa633d264eb7034

SHA256
fbc18ac69e4960abd6b2f79671cb724b6f37d2ed723d9d5f7a515f925ff58f32

SHA512
a05fc819a3fe8ad0723344689e9d5dd4c9296235cfab2945050f20c66d2f15eb336dca4eacedf112b4bc578eb56033d48d46bb23e15fa090bc961a5ff1f855f6

Download Submit
memory/1752-0-0x0000000001130000-0x00000000011BE000-memory.dmp

Filesize
568KB

Download
memory/1752-1-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/1752-2-0x00000000010E0000-0x0000000001120000-memory.dmp

Filesize
256KB

Download
memory/1752-13-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/1752-12-0x0000000000C00000-0x0000000000C3D000-memory.dmp

Filesize
244KB

Download
memory/1752-11-0x0000000000C00000-0x0000000000C3D000-memory.dmp

Filesize
244KB

Download
memory/3000-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing