marsstealer | 26d1a7f43e36efda53ec80f7914ecf5cf210eaad47d767c7c8b2dfe8fecf8301

Analysis

max time kernel
29s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cyber Hunter Install.exe
Size

4.9MB
MD5

f836f277cbcadfecfc988bf350d410c3
SHA1

f9a66d7876a6eb09763e0705beaa999d99f53754
SHA256

d38bc9871b0eba08a6b77314a6d3fdc94531315c2659ea60d8d23b4450ed3838
SHA512

ac284e90bf72d564ceaeda28383efc8793f286002d2d7ae37f08f05a9170faa5f77a8e741cb60fabb1f48f9abc769070fc3620fa9c5d7dfce60029b6d58c8280
SSDEEP

12288:D6BeSpuojQEv1E729k4nRQ/ceb5WdWOeoP3/F+2nGr6A5zuzhGlC5LcB+cVgeMtb:E0yLW2mudcocIE

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

9EM6.exe

pid process

280 9EM6.exe
Loads dropped DLL 5 IoCs

Processes:

Cyber Hunter Install.exe9EM6.exe

pid process

1424 Cyber Hunter Install.exe
1424 Cyber Hunter Install.exe
280 9EM6.exe
280 9EM6.exe
280 9EM6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2600 280 WerFault.exe 9EM6.exe

pid	process
280	9EM6.exe

pid	process
1424	Cyber Hunter Install.exe
1424	Cyber Hunter Install.exe
280	9EM6.exe
280	9EM6.exe
280	9EM6.exe

pid	pid_target	process	target process
2600	280	WerFault.exe	9EM6.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Cyber Hunter Install.exe

description	pid	process	target process
PID 1424 wrote to memory of 280	1424	Cyber Hunter Install.exe	9EM6.exe
PID 1424 wrote to memory of 280	1424	Cyber Hunter Install.exe	9EM6.exe
PID 1424 wrote to memory of 280	1424	Cyber Hunter Install.exe	9EM6.exe
PID 1424 wrote to memory of 280	1424	Cyber Hunter Install.exe	9EM6.exe
PID 1424 wrote to memory of 280	1424	Cyber Hunter Install.exe	9EM6.exe
PID 1424 wrote to memory of 280	1424	Cyber Hunter Install.exe	9EM6.exe
PID 1424 wrote to memory of 280	1424	Cyber Hunter Install.exe	9EM6.exe

C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe
"C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
"C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 688
3⤵
- Program crash
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
2KB

MD5
ad2a95786622c0f8381c66ce6e288fe7

SHA1
de37a2383d7af0889b8ed42b3194b2397b3adc60

SHA256
3d7c0ca5f8ab355faa6a68764c66bee1a0167b092fa8c9ecaeeb245d26ff9bb6

SHA512
2821472d13ef1d6f76c7639d1a9dc99b31ed0f52c7f897c1ae3df52a8b1764efa5a35ba5cafbb8d1847d1a913f160acd66245ddbda698f93844cb47dd9c53828

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
64KB

MD5
9e8bd0c01eeae0b737b7173a19f57f54

SHA1
a012b9712f3a679d5fa11730c8ef50bc46df4043

SHA256
318d4321992baefca7111142e79e57b34e4cecd9a28dae68a8f02527497138cb

SHA512
f96409a47aebc0280bb20cc99e6cffe283f4798e46d1c621ffb4e9a2320d795fd71a2f8a7050fbe8af3953718a65bf536ea5acb62fa197d6cf8f105ca54c6784

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
114B

MD5
2e90ec096982c77ebaa32643f1994e5e

SHA1
fc3210c512ff65339aedddc91aef4abe4f6affc4

SHA256
be64e9677495910dd71ede0972593df3eca56dee3f7b37815057c32fcc2400c9

SHA512
1478f16bef01e3e5c2133e26fb5f082c18b213a4772a2329fc3e34425bcce02e9be034e6df26185dc2c6bf75dcf4a110bb75c017d8487033ee7455a65a59f4cb

Download Submit
\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
19KB

MD5
da99603bd817156f0d8bdac42f172bae

SHA1
fe0e5060e0c47dc10710d307f1b59dd170f5143c

SHA256
71bc9d1045f3f69cc605a832ece745361a9158d32d6d6345f878792e4baa05b5

SHA512
20974bec58c16155587a15d559d8dbf88954fa3939b44ad5634bef48feb40f19432cecbe80966dfb2a4257b1a6e1905caf145a569fdcef74948d7d7776232f31

Download Submit
\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
22KB

MD5
10c03790d6fdc904a55829699743341d

SHA1
1881813b7b93c83b51e57759b8a31e6b2ca9920f

SHA256
a9f2ecdbd7f5d69afeb810a7ad86809fdd01a554a1c08fdd78c4ca4a70508ad4

SHA512
2ea2f35ff31d36b69a605196103a35cb3896d49a88255950ec7aef1b74b24865a1f61211bf435a05187e1e052e7ea28e30747b5c1e6d158c6a25378f87f40577

Download Submit
\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
9KB

MD5
fa7877e143e5b2741b0827c560052cc1

SHA1
b2601aa10e9cc78b6b1abc7e953dd58cc803683c

SHA256
5e06badedcb57a279b8a62bffe3952cfed6a46d0e0029ed4981bffc33cc3205c

SHA512
259e98bb0f74a168f98fa14874a8d3a6cc9df09d3b7f47dfcfc99242596efec20a64b62ef9115ac32c4c2a8373298641b4ada3abfd411dd80f18f1155fbad73f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
8KB

MD5
22df38149245332166da93dc0832cb5e

SHA1
ef4b10ecb86d447fcd1c82213e7dcbf99a33ff14

SHA256
f5f66c2cf65d6ee7bae56afc4b6b9224bcb5d84b21498fa2f1827f8228f915ba

SHA512
d240cf09f0cfde21d3e4fb3edcff5fa7b9aa2f19e028aa677d0335b2eee87b145ae4527b552a200cf5edc58ac63368827df1130c1bba82dbbcb1e07851a0dc70

Download Submit
\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
5KB

MD5
1c4ebb125ace66c85cf23f29c9ca1232

SHA1
235dfaae412b4cf0e381ff56ab2153176e04235d

SHA256
5be3892ef6593f47e557676e49dc9b224be3ff75e1f4911372d4e09728cecbdb

SHA512
89d1580d3fd550463fe4c346f4733b31b3ab586b87040e958a5d7ccea794aab5a7c667871903cf79d32f387e4be688268833c48ed523cb059fece8aa937dfd63

Download Submit
\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
24KB

MD5
65e7b5ac6f28a91b5b5b1abe71770786

SHA1
388e80a0c7d3b154f4bbe580993b5a9bf747c2bc

SHA256
7520380223337c8ab56a1f5859ea35efdf275f8fac8f143d1163aa821df9c02a

SHA512
22bce4d2a57d381745847ea547943cd0c5d259148cd8646b811071643dfdeba2148fb39c885044c108c05eb092a952d3b9b6cf36fedc3500b592bb2aa67524f6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
34KB

MD5
2a23d1270f39656241d7a12e4edf8431

SHA1
4451a3fe3c3c3e0f2064cb643426bc4dc93d59cc

SHA256
95290e6266bc801fd2b9c8462e7e8a8f2166236056fcf971892b73ecb88d12ed

SHA512
d1659baa75b151c9d1678ca12b9ead2c7822c4a4c7f48e62eca8647b8b0aab2734d853157e7f7b4705e4dcd2805472a8a1431e54e3e1b691302fec564774d474

Download Submit
\Users\Admin\AppData\Local\Temp\Low\9EM6.exe
Filesize
35KB

MD5
f4129211f87cf9c212bfc6e4c0a7b70a

SHA1
18d27c4c09f0fe198de9d0751e202a1011f023c5

SHA256
7af58a818f70bcfb40237566b5f42fb98ace9f9dc74d45bc2824ce3d37ecd717

SHA512
bc575eaeaa209c37c0071a48852d8d980100e077f7fe444b0109d6cfd89d8011e7ea539021a1486be4a2334cb63a12b7b99a7a04e3354305554ff35f3ca2bf00

Download Submit
memory/280-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1424-0-0x00000000011D0000-0x0000000001262000-memory.dmp

Filesize
584KB

Download
memory/1424-15-0x00000000006F0000-0x000000000072D000-memory.dmp

Filesize
244KB

Download
memory/1424-10-0x00000000006F0000-0x000000000072D000-memory.dmp

Filesize
244KB

Download