Malware Analysis Report

2024-10-19 07:06

Sample ID 231225-ls1qqsbda7
Target l81rhzIPTizNWD6pnZPRSFEDal16Xy1T
SHA256 791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad
Tags
marsstealer default stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad

Threat Level: Known bad

The file l81rhzIPTizNWD6pnZPRSFEDal16Xy1T was found to be: Known bad.

Malicious Activity Summary

marsstealer default stealer

Mars Stealer

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-25 09:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 09:48

Reported

2023-12-25 09:51

Platform

win10v2004-20231222-en

Max time kernel

1s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe"

Signatures

Mars Stealer

stealer marsstealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Adobe\.exe

Processes

C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe

"C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe"

C:\Users\Admin\AppData\Roaming\Adobe\.exe

"C:\Users\Admin\AppData\Roaming\Adobe\.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4016 -ip 4016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1416

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 moscow-post.com udp
RU 185.71.67.60:80 moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.com udp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 60.67.71.185.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.moscow-post.su udp
RU 185.71.67.60:80 www.moscow-post.su tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
GB 96.17.178.180:80 tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/4976-1-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/4976-2-0x00000000058D0000-0x00000000058E0000-memory.dmp

memory/4976-0-0x0000000000DF0000-0x0000000000E72000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 9cfb967a9021a68af8ba9625de647c72
SHA1 275aa0aaec18de91da422401890867a27fe2b30a
SHA256 58463b674705529b68d016c8b5984676bedcf24af915a576f0151e20afa1d5fd
SHA512 9aaf5fd4afe43860c3e9193563a3e3a3d18326fa9400f93dd8f1172f1550c3c85d2b12cd12b2f90d9641b5a7fb83e4fde087ee4ebf1a1826c5498c21ae6f5127

C:\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 42df9c28ba938997af3ee506c249a5d6
SHA1 b12690ee805951fddb9848404cc7ca650eaad825
SHA256 3a60de2b6bf8d391f66fc7cb4bde35ba96d9db4d0693e2efe19b0ee1bef1066c
SHA512 8e1767f77a16c55eebf0ea898b21869c5e76ef6e205ce4fe6eed5aa76b92927d7d634f970146502a77163a13ec1149922aca2a0bf9015db725912dc4c8a72c88

memory/4976-13-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/4016-12-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\.exe

MD5 4f0ae11aa2016788fae2bc5de69c71fd
SHA1 409140aa07e41557eafc02ea3a7467410c6427fd
SHA256 b708f9a92c2fdfc06d4f0112fe3799173c994014566c984a69eeae35b1c44263
SHA512 c132cf8ed15bf124aa40e8b7f0a00bfa32eca1b94b27b50ef3f2f16c80adadb45626ad0a439acf57aa4b697d8adcaedbab0084f9270b4cef86fedf96a113596f

memory/4016-15-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 09:48

Reported

2023-12-25 09:51

Platform

win7-20231215-en

Max time kernel

17s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe"

Signatures

Mars Stealer

stealer marsstealer

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe

"C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 800

Network

Country Destination Domain Proto
US 8.8.8.8:53 moscow-post.com udp
RU 185.71.67.60:80 moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.com udp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.su udp
RU 185.71.67.60:80 www.moscow-post.su tcp

Files

memory/2232-0-0x0000000000E30000-0x0000000000EB2000-memory.dmp

memory/2232-1-0x0000000074170000-0x000000007485E000-memory.dmp

memory/2232-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe

MD5 353dabf9e73014ad17d3c4378b48d19e
SHA1 d42a1496d8c4bc2132cb171f197cc0de7e069aa6
SHA256 7320fcdbb7d6ea774b5c205d641540d6f6004dfc2d32e3c633aedd791709678c
SHA512 de4436c05e20b3cfb5ca08f6bac180772aed3597cabfd0a0da684193dcf25f86a0d75d42efa3bcc1c5a55a2912ab41000089be71b135d473776cf06925be8a9a

memory/2932-12-0x0000000000400000-0x000000000043D000-memory.dmp

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe

MD5 9f40bba758dc19efb74aee4e523bf8e7
SHA1 bc373de4b456bf1747967dd20795f852e6d391a0
SHA256 533e61db7deeffa08935680a558d48a34d74326047ec045aaf00a77b9e432781
SHA512 af5ee8576938638b121678e69734198a2873d651dd71916768f4e0f15230c2828b09559103ff8b43e4b4d1ce9de212199c9cefa3f795f6d584742af17a6aeb3d

memory/2232-13-0x0000000074170000-0x000000007485E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe

MD5 d8b98e538a7ad708e9893690f7252dda
SHA1 08926028284abc88850b64f88204dccd904c55c8
SHA256 e1518570b9e396a706e70e696df42b136152a3300a9b81c3db3776a170d0bb39
SHA512 5139b442f57f09e03d9f64aa3749633f55ec2f8519d91ff4a422f675d90f1d8adcc6d5414913ab76557dbff933e7b7e86a4de819cb76a79c8b73b125f563e644

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe

MD5 2b782fa3b96d1f18854bdeb7a27ed072
SHA1 14f3d5bdcf8b6ece779080ec117f42f61adc70d0
SHA256 d713131c5f5e891e65c017bbcb170e4e8d11eb378fcbfad2b5e756cfea96ff21
SHA512 21f0d40abde26c3c5145db8c32f496524d94dd1caea97c830d80462fbdb0053be641de8aa91aa98ed4ff1028c6ed0d0d59222cf04105c67f6783c7d4aea82430

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe

MD5 eb0680504d3ca22008b08327a8ce09e3
SHA1 47b07970c240192169eac937472f751f1fd9e0e3
SHA256 ebb307a6e265896dd577b4c3d4b63ccbf80bf8110f26a3fc187d2ce5a8791d0d
SHA512 193ebf150b55c6bee9546ca156e9922154b05a38a72745fb4745ab7d5a070ea70ecb7e38ebefce734a0a5d6ae6b39cfa9d421fa0d0e8a8408d81edc5ec403433