Malware Analysis Report

2024-10-19 07:06

Sample ID 231225-mmxbssgcf4
Target Cyber Hunter Install.7z
SHA256 26d1a7f43e36efda53ec80f7914ecf5cf210eaad47d767c7c8b2dfe8fecf8301
Tags
marsstealer default stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26d1a7f43e36efda53ec80f7914ecf5cf210eaad47d767c7c8b2dfe8fecf8301

Threat Level: Known bad

The file Cyber Hunter Install.7z was found to be: Known bad.

Malicious Activity Summary

marsstealer default stealer

Mars Stealer

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-25 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 10:35

Reported

2023-12-25 10:38

Platform

win7-20231215-en

Max time kernel

29s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe"

Signatures

Mars Stealer

stealer marsstealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe

"C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe"

C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

"C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 688

Network

Country Destination Domain Proto
US 8.8.8.8:53 moscow-post.com udp
RU 185.71.67.60:80 moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.com udp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.su udp
RU 185.71.67.60:80 www.moscow-post.su tcp

Files

memory/1424-0-0x00000000011D0000-0x0000000001262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 2e90ec096982c77ebaa32643f1994e5e
SHA1 fc3210c512ff65339aedddc91aef4abe4f6affc4
SHA256 be64e9677495910dd71ede0972593df3eca56dee3f7b37815057c32fcc2400c9
SHA512 1478f16bef01e3e5c2133e26fb5f082c18b213a4772a2329fc3e34425bcce02e9be034e6df26185dc2c6bf75dcf4a110bb75c017d8487033ee7455a65a59f4cb

memory/280-16-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1424-15-0x00000000006F0000-0x000000000072D000-memory.dmp

\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 fa7877e143e5b2741b0827c560052cc1
SHA1 b2601aa10e9cc78b6b1abc7e953dd58cc803683c
SHA256 5e06badedcb57a279b8a62bffe3952cfed6a46d0e0029ed4981bffc33cc3205c
SHA512 259e98bb0f74a168f98fa14874a8d3a6cc9df09d3b7f47dfcfc99242596efec20a64b62ef9115ac32c4c2a8373298641b4ada3abfd411dd80f18f1155fbad73f

\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 10c03790d6fdc904a55829699743341d
SHA1 1881813b7b93c83b51e57759b8a31e6b2ca9920f
SHA256 a9f2ecdbd7f5d69afeb810a7ad86809fdd01a554a1c08fdd78c4ca4a70508ad4
SHA512 2ea2f35ff31d36b69a605196103a35cb3896d49a88255950ec7aef1b74b24865a1f61211bf435a05187e1e052e7ea28e30747b5c1e6d158c6a25378f87f40577

\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 da99603bd817156f0d8bdac42f172bae
SHA1 fe0e5060e0c47dc10710d307f1b59dd170f5143c
SHA256 71bc9d1045f3f69cc605a832ece745361a9158d32d6d6345f878792e4baa05b5
SHA512 20974bec58c16155587a15d559d8dbf88954fa3939b44ad5634bef48feb40f19432cecbe80966dfb2a4257b1a6e1905caf145a569fdcef74948d7d7776232f31

C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 ad2a95786622c0f8381c66ce6e288fe7
SHA1 de37a2383d7af0889b8ed42b3194b2397b3adc60
SHA256 3d7c0ca5f8ab355faa6a68764c66bee1a0167b092fa8c9ecaeeb245d26ff9bb6
SHA512 2821472d13ef1d6f76c7639d1a9dc99b31ed0f52c7f897c1ae3df52a8b1764efa5a35ba5cafbb8d1847d1a913f160acd66245ddbda698f93844cb47dd9c53828

memory/1424-10-0x00000000006F0000-0x000000000072D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 9e8bd0c01eeae0b737b7173a19f57f54
SHA1 a012b9712f3a679d5fa11730c8ef50bc46df4043
SHA256 318d4321992baefca7111142e79e57b34e4cecd9a28dae68a8f02527497138cb
SHA512 f96409a47aebc0280bb20cc99e6cffe283f4798e46d1c621ffb4e9a2320d795fd71a2f8a7050fbe8af3953718a65bf536ea5acb62fa197d6cf8f105ca54c6784

\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 f4129211f87cf9c212bfc6e4c0a7b70a
SHA1 18d27c4c09f0fe198de9d0751e202a1011f023c5
SHA256 7af58a818f70bcfb40237566b5f42fb98ace9f9dc74d45bc2824ce3d37ecd717
SHA512 bc575eaeaa209c37c0071a48852d8d980100e077f7fe444b0109d6cfd89d8011e7ea539021a1486be4a2334cb63a12b7b99a7a04e3354305554ff35f3ca2bf00

\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 2a23d1270f39656241d7a12e4edf8431
SHA1 4451a3fe3c3c3e0f2064cb643426bc4dc93d59cc
SHA256 95290e6266bc801fd2b9c8462e7e8a8f2166236056fcf971892b73ecb88d12ed
SHA512 d1659baa75b151c9d1678ca12b9ead2c7822c4a4c7f48e62eca8647b8b0aab2734d853157e7f7b4705e4dcd2805472a8a1431e54e3e1b691302fec564774d474

\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 1c4ebb125ace66c85cf23f29c9ca1232
SHA1 235dfaae412b4cf0e381ff56ab2153176e04235d
SHA256 5be3892ef6593f47e557676e49dc9b224be3ff75e1f4911372d4e09728cecbdb
SHA512 89d1580d3fd550463fe4c346f4733b31b3ab586b87040e958a5d7ccea794aab5a7c667871903cf79d32f387e4be688268833c48ed523cb059fece8aa937dfd63

\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 22df38149245332166da93dc0832cb5e
SHA1 ef4b10ecb86d447fcd1c82213e7dcbf99a33ff14
SHA256 f5f66c2cf65d6ee7bae56afc4b6b9224bcb5d84b21498fa2f1827f8228f915ba
SHA512 d240cf09f0cfde21d3e4fb3edcff5fa7b9aa2f19e028aa677d0335b2eee87b145ae4527b552a200cf5edc58ac63368827df1130c1bba82dbbcb1e07851a0dc70

\Users\Admin\AppData\Local\Temp\Low\9EM6.exe

MD5 65e7b5ac6f28a91b5b5b1abe71770786
SHA1 388e80a0c7d3b154f4bbe580993b5a9bf747c2bc
SHA256 7520380223337c8ab56a1f5859ea35efdf275f8fac8f143d1163aa821df9c02a
SHA512 22bce4d2a57d381745847ea547943cd0c5d259148cd8646b811071643dfdeba2148fb39c885044c108c05eb092a952d3b9b6cf36fedc3500b592bb2aa67524f6

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 10:35

Reported

2023-12-25 10:38

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe"

Signatures

Mars Stealer

stealer marsstealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\TC.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Adobe\TC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe

"C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe"

C:\Users\Admin\AppData\Roaming\Adobe\TC.exe

"C:\Users\Admin\AppData\Roaming\Adobe\TC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2552 -ip 2552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 1404

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 moscow-post.com udp
RU 185.71.67.60:80 moscow-post.com tcp
US 8.8.8.8:53 60.67.71.185.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 www.moscow-post.com udp
RU 185.71.67.60:80 www.moscow-post.com tcp
US 8.8.8.8:53 www.moscow-post.su udp
RU 185.71.67.60:80 www.moscow-post.su tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 52.111.229.19:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
GB 96.17.178.193:80 tcp
US 204.79.197.200:443 g.bing.com tcp
GB 96.17.178.193:80 tcp

Files

memory/3124-0-0x0000000000E70000-0x0000000000F02000-memory.dmp

memory/3124-1-0x00000000747E0000-0x0000000074F90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\TC.exe

MD5 1f51c4bdd8bd5b81fe2638ffa85fd5d2
SHA1 43146ce6867ba788dc50ddfe1d9ec4d89aafd859
SHA256 e7dcfe91d1f3c1b1d33b8f7eae174999b04faec7825474baf846aaa408d97c38
SHA512 7f0d34c1ccf39cb0c5600507b2b00185e097a6423cc622b66659cd46aef6bb55b6a5806971a816eab3f990b8099cdc9a606cacab49a1f6bd002fcf9a2964ca98

memory/3124-12-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/2552-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\TC.exe

MD5 48b39c8f366a121dc87eae6a0bbf10b6
SHA1 974dc51b1b294fe51356720e7361c05ba27bbe0c
SHA256 708b49de584829cd69f01207d4dd138118fc9e01aaa3664206116a938026aaf7
SHA512 e4e97fc812dad021547a0b9fbf15ba819208d3fd537af26040be0058c94b53c16486b7c376c4cc1f24cbddbe548dd0586833f24e770b6a47c8eefb16f1015b3f

memory/2552-14-0x0000000000400000-0x000000000043D000-memory.dmp