marsstealer | 791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad

Analysis

max time kernel
1s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe
Size

13.4MB
MD5

6e08d023664e3f4e835ec3ec198b883a
SHA1

43f2f3321a51f1ca308af891d2e1dbaaee48b045
SHA256

791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad
SHA512

41d44ed76ecda43eab891a2e07cb43481478c39797e44ed017654a8bca346b90bfcf4f444532d8e9765173c2e9b26d5f524fe42ec9a7830230fedbe21f9e0ec1
SSDEEP

12288:bu5DqC9/n1D0jAV8eCeoIl1TroJMExsi+vakV7tbQ3KtwU:buDXVsUThTFyJm

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

moscow-post.com/xaoniu/server/waungowangued/g.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4700 4016 WerFault.exe .exe

pid	pid_target	process	target process
4700	4016	WerFault.exe	.exe

C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe
"C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe"
1⤵
PID:4976

C:\Users\Admin\AppData\Roaming\Adobe\.exe
"C:\Users\Admin\AppData\Roaming\Adobe\.exe"
2⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1416
3⤵
- Program crash
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4016 -ip 4016
1⤵
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\.exe
Filesize
81KB

MD5
42df9c28ba938997af3ee506c249a5d6

SHA1
b12690ee805951fddb9848404cc7ca650eaad825

SHA256
3a60de2b6bf8d391f66fc7cb4bde35ba96d9db4d0693e2efe19b0ee1bef1066c

SHA512
8e1767f77a16c55eebf0ea898b21869c5e76ef6e205ce4fe6eed5aa76b92927d7d634f970146502a77163a13ec1149922aca2a0bf9015db725912dc4c8a72c88

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\.exe
Filesize
41KB

MD5
9cfb967a9021a68af8ba9625de647c72

SHA1
275aa0aaec18de91da422401890867a27fe2b30a

SHA256
58463b674705529b68d016c8b5984676bedcf24af915a576f0151e20afa1d5fd

SHA512
9aaf5fd4afe43860c3e9193563a3e3a3d18326fa9400f93dd8f1172f1550c3c85d2b12cd12b2f90d9641b5a7fb83e4fde087ee4ebf1a1826c5498c21ae6f5127

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\.exe
Filesize
112KB

MD5
4f0ae11aa2016788fae2bc5de69c71fd

SHA1
409140aa07e41557eafc02ea3a7467410c6427fd

SHA256
b708f9a92c2fdfc06d4f0112fe3799173c994014566c984a69eeae35b1c44263

SHA512
c132cf8ed15bf124aa40e8b7f0a00bfa32eca1b94b27b50ef3f2f16c80adadb45626ad0a439acf57aa4b697d8adcaedbab0084f9270b4cef86fedf96a113596f

Download Submit
memory/4016-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4016-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4976-1-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4976-2-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4976-0-0x0000000000DF0000-0x0000000000E72000-memory.dmp

Filesize
520KB

Download
memory/4976-13-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download