marsstealer | 21a174a42902e4e830e224ea8943c76f1a0730edafa280a99b09b5597c96af95

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ARK_Trainer_v0.9.9.9.exe
Size

8.7MB
MD5

185eb9ebbb379bf2b5dd37e5ed92eee1
SHA1

d9da98bcb2259cb1da248267d1568c3cec591fae
SHA256

21a174a42902e4e830e224ea8943c76f1a0730edafa280a99b09b5597c96af95
SHA512

45e9cbefef733d17c807e7f316f8be3f464c64008356eaa198802845f450b94f09f8cd2a529941ac57f4a78d5e5c98779d0900d23840ed865859e065ad1a56cc
SSDEEP

12288:FSooBq+S++WsHX+sFICSPSrmjwoCah2mVZ6B7AnebCaLvi4mWY:NYN+SPYK9neSW

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

moscow-post.ru/patch/server/udryhdj.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ARK_Trainer_v0.9.9.9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	ARK_Trainer_v0.9.9.9.exe

Executes dropped EXE 1 IoCs

Processes:

UV6.exe

pid process

2052 UV6.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1956 2052 WerFault.exe UV6.exe

pid	process
2052	UV6.exe

pid	pid_target	process	target process
1956	2052	WerFault.exe	UV6.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ARK_Trainer_v0.9.9.9.exe

description	pid	process	target process
PID 2452 wrote to memory of 2052	2452	ARK_Trainer_v0.9.9.9.exe	UV6.exe
PID 2452 wrote to memory of 2052	2452	ARK_Trainer_v0.9.9.9.exe	UV6.exe
PID 2452 wrote to memory of 2052	2452	ARK_Trainer_v0.9.9.9.exe	UV6.exe

C:\Users\Admin\AppData\Local\Temp\ARK_Trainer_v0.9.9.9.exe
"C:\Users\Admin\AppData\Local\Temp\ARK_Trainer_v0.9.9.9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Roaming\Adobe\UV6.exe
"C:\Users\Admin\AppData\Roaming\Adobe\UV6.exe"
2⤵
- Executes dropped EXE
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1384
3⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2052 -ip 2052
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\UV6.exe
Filesize
19KB

MD5
1d592e36610d0b456b9f028420f51aab

SHA1
7fd896fcdaf27c838e5e060cd15525453ac86672

SHA256
541ac20ebe74cac3869a37ede7cee8001add7c4c1ddc19473b92f8fdd8d1617d

SHA512
a765de52b14465664590c765036a1765b641d565eaf8471ec2337bdc7dfa4850b2e08c97257366996911c68dc06368e40de9b60ae9c690053efce8d361fc79dd

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\UV6.exe
Filesize
43KB

MD5
d35337fa866aa5257f8ae83ebd058763

SHA1
43aeea752fb472a3abad60302a9f8eb32e526004

SHA256
c23916993c94cc01d3085076bce479a48422b54300a869d0466a39a596486f51

SHA512
33784671253d00bab88c2db23a38cd566016bba00dcc1c03f56534bdfe3601be4b21f98b2642134b2941986dedc491c27e718815627d6c73687b14515f338668

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\UV6.exe
Filesize
20KB

MD5
f88c882628c41a9707e9ed3af3318d0f

SHA1
f119cb15d41b081de70135e465dd152eb554a266

SHA256
aedfc767377935807e159965b08b1922b9482d06119eb6678511fcb9c0166cb1

SHA512
899d5818ad97f5236149138b122a972cdc25a75314c316d740cd6561f6101b68c6de3288fffe49d07a00a970d8db848c269d45b60618af937deac4f5d4baecd5

Download Submit
memory/2052-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2052-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2452-0-0x0000000000DC0000-0x0000000000E4E000-memory.dmp

Filesize
568KB

Download
memory/2452-1-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/2452-2-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2452-13-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download