Overview

overview

10

Static

static

3

l81rhzIPTi...1T.exe

windows7-x64

10

l81rhzIPTi...1T.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe

  • Size

    13.4MB

  • MD5

    6e08d023664e3f4e835ec3ec198b883a

  • SHA1

    43f2f3321a51f1ca308af891d2e1dbaaee48b045

  • SHA256

    791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad

  • SHA512

    41d44ed76ecda43eab891a2e07cb43481478c39797e44ed017654a8bca346b90bfcf4f444532d8e9765173c2e9b26d5f524fe42ec9a7830230fedbe21f9e0ec1

  • SSDEEP

    12288:bu5DqC9/n1D0jAV8eCeoIl1TroJMExsi+vakV7tbQ3KtwU:buDXVsUThTFyJm

Score
10/10
marsstealerdefaultstealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

  • Mars Stealer

    An infostealer written in C++ based on other infostealers.

    stealermarsstealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe
    "C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe"
      2⤵
      • Executes dropped EXE
      PID:2932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 800
        3⤵
        • Program crash
        PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe
    Filesize

    4KB

    MD5

    eb0680504d3ca22008b08327a8ce09e3

    SHA1

    47b07970c240192169eac937472f751f1fd9e0e3

    SHA256

    ebb307a6e265896dd577b4c3d4b63ccbf80bf8110f26a3fc187d2ce5a8791d0d

    SHA512

    193ebf150b55c6bee9546ca156e9922154b05a38a72745fb4745ab7d5a070ea70ecb7e38ebefce734a0a5d6ae6b39cfa9d421fa0d0e8a8408d81edc5ec403433

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe
    Filesize

    40KB

    MD5

    d8b98e538a7ad708e9893690f7252dda

    SHA1

    08926028284abc88850b64f88204dccd904c55c8

    SHA256

    e1518570b9e396a706e70e696df42b136152a3300a9b81c3db3776a170d0bb39

    SHA512

    5139b442f57f09e03d9f64aa3749633f55ec2f8519d91ff4a422f675d90f1d8adcc6d5414913ab76557dbff933e7b7e86a4de819cb76a79c8b73b125f563e644

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe
    Filesize

    24KB

    MD5

    2b782fa3b96d1f18854bdeb7a27ed072

    SHA1

    14f3d5bdcf8b6ece779080ec117f42f61adc70d0

    SHA256

    d713131c5f5e891e65c017bbcb170e4e8d11eb378fcbfad2b5e756cfea96ff21

    SHA512

    21f0d40abde26c3c5145db8c32f496524d94dd1caea97c830d80462fbdb0053be641de8aa91aa98ed4ff1028c6ed0d0d59222cf04105c67f6783c7d4aea82430

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe
    Filesize

    1KB

    MD5

    353dabf9e73014ad17d3c4378b48d19e

    SHA1

    d42a1496d8c4bc2132cb171f197cc0de7e069aa6

    SHA256

    7320fcdbb7d6ea774b5c205d641540d6f6004dfc2d32e3c633aedd791709678c

    SHA512

    de4436c05e20b3cfb5ca08f6bac180772aed3597cabfd0a0da684193dcf25f86a0d75d42efa3bcc1c5a55a2912ab41000089be71b135d473776cf06925be8a9a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe
    Filesize

    31KB

    MD5

    9f40bba758dc19efb74aee4e523bf8e7

    SHA1

    bc373de4b456bf1747967dd20795f852e6d391a0

    SHA256

    533e61db7deeffa08935680a558d48a34d74326047ec045aaf00a77b9e432781

    SHA512

    af5ee8576938638b121678e69734198a2873d651dd71916768f4e0f15230c2828b09559103ff8b43e4b4d1ce9de212199c9cefa3f795f6d584742af17a6aeb3d

    Download Submit
  • memory/2232-0-0x0000000000E30000-0x0000000000EB2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2232-1-0x0000000074170000-0x000000007485E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2232-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2232-13-0x0000000074170000-0x000000007485E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2932-12-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download