marsstealer | d38bc9871b0eba08a6b77314a6d3fdc94531315c2659ea60d8d23b4450ed3838

Analysis

max time kernel
16s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cyber Hunter Install.exe
Size

4.9MB
MD5

f836f277cbcadfecfc988bf350d410c3
SHA1

f9a66d7876a6eb09763e0705beaa999d99f53754
SHA256

d38bc9871b0eba08a6b77314a6d3fdc94531315c2659ea60d8d23b4450ed3838
SHA512

ac284e90bf72d564ceaeda28383efc8793f286002d2d7ae37f08f05a9170faa5f77a8e741cb60fabb1f48f9abc769070fc3620fa9c5d7dfce60029b6d58c8280
SSDEEP

12288:D6BeSpuojQEv1E729k4nRQ/ceb5WdWOeoP3/F+2nGr6A5zuzhGlC5LcB+cVgeMtb:E0yLW2mudcocIE

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

24M.exe

pid process

240 24M.exe
Loads dropped DLL 5 IoCs

Processes:

Cyber Hunter Install.exe24M.exe

pid process

1128 Cyber Hunter Install.exe
1128 Cyber Hunter Install.exe
240 24M.exe
240 24M.exe
240 24M.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2916 240 WerFault.exe 24M.exe

pid	process
240	24M.exe

pid	process
1128	Cyber Hunter Install.exe
1128	Cyber Hunter Install.exe
240	24M.exe
240	24M.exe
240	24M.exe

pid	pid_target	process	target process
2916	240	WerFault.exe	24M.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Cyber Hunter Install.exe

description	pid	process	target process
PID 1128 wrote to memory of 240	1128	Cyber Hunter Install.exe	24M.exe
PID 1128 wrote to memory of 240	1128	Cyber Hunter Install.exe	24M.exe
PID 1128 wrote to memory of 240	1128	Cyber Hunter Install.exe	24M.exe
PID 1128 wrote to memory of 240	1128	Cyber Hunter Install.exe	24M.exe
PID 1128 wrote to memory of 240	1128	Cyber Hunter Install.exe	24M.exe
PID 1128 wrote to memory of 240	1128	Cyber Hunter Install.exe	24M.exe
PID 1128 wrote to memory of 240	1128	Cyber Hunter Install.exe	24M.exe

C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe
"C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Roaming\Identities\24M.exe
"C:\Users\Admin\AppData\Roaming\Identities\24M.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 724
3⤵
- Program crash
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
44KB

MD5
c55fc759de7e4cd28118685dbaddf3e2

SHA1
0e122cc4a32adf87ca2222d991342a9f7b05fb49

SHA256
ef92a94e67e72156345d170c7bd0becc08526cf80ea72a521d13b96dfa8f127e

SHA512
2f8b590219fd820f1bb594c34434c75bc912d55b3df990604f2f792c1cdd619acdb74f2f85d22bd979a5d632db591c4db9c09a15f20cdf04b1ab002beaec5bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
156KB

MD5
c1e0db9ec77d637022cfb6c8cd5b568e

SHA1
c1a04e277a3e9acc0b657695f71e5999bfa6af97

SHA256
944f8df384817d6e7ea0f2b99f464937420667ac0302e3906765db5bf81d1719

SHA512
790d07eadb454e020c9f3e71ebe07938d5b6b9c9e2354a2fb4ba177b19a320e297458f49400e9811bf5ffaeeb639c05c8cd4fbfddfe37a479df841fcfa2bdde1

Download Submit
C:\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
93KB

MD5
34bb6767f41b819638769755b4082488

SHA1
b48cd1f96b982f698fdfe865b0fc3851231ed39e

SHA256
21d87ffc8dedc53ec4671e895938e61247548fc5da2acb6fe5713ac40c353448

SHA512
ab5508bbc31e9d1db3295f8944f74d1de1f9bc9a35b2a1bf4317e35cb47b0225db095eaf3f16c82b073e149135f433ec3920de39d89e719a569bbbd38bd1315c

Download Submit
\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
62KB

MD5
b26c076c727bbb8605bb533c4149007b

SHA1
1e5d6665b3b145ae848428772e182be9140f667b

SHA256
2336eecb4c9189dc2bc70caf3887becbb44a716fd233812064716b8f9cc4e9b4

SHA512
4e73a0221f11da968076933332d0bb825173004021af6742dfd6b45a85669dc2b5c94ded95c1b27204b3a2476c44dd143e357389e733c9da1d8d2a1f7f1eac5b

Download Submit
\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
38KB

MD5
a24090e8db2b28f3b1616d3d1771d1bb

SHA1
7359faa6686893b935209d0bc82112caf1a484d9

SHA256
82a2307645f44f3f2610d0759c12f7872a704ea3e066616b95c1aa9da74d0287

SHA512
5167bc24cac752ce64aa5a24000139356ade59584082d833589a9d29bd7a3242298dd4585e11f821618e06f98d92359173454f543d382e6eb7f363084d0b343e

Download Submit
\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
60KB

MD5
9bf90f6836af8d710923cd196be7c82c

SHA1
aeb0e7ef30542b4590e3f462c61e7e4878be47d7

SHA256
1eebbb3b93ffc65b24b1d205f5a0926285fd2a80de6660bc3d63c6cda7144f25

SHA512
eb7ab7e0f7284874e643c2cc0cb3e2da033ced672810cd6d26223fc7fe5bd136dbb52182f874c28ea2fb16e7f2207f5aaab1eb6e3bf8664457a242d9c604dbe3

Download Submit
\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
20KB

MD5
d29e4e71d5960e9df5e045b211da7e7e

SHA1
b2491e425400222d6be92ed0d847f738381fb845

SHA256
75bcae17e797a8956697df7443bb5369706a2728740a457d72dcfcb7942e19df

SHA512
bca2e1dae6b0d7b7c03d58970c4234124b46018639b4777f5a1dfe7d5846a10d8da867472b7f8bbce61b5cb723f603cd2a385bb432c6d3126398b3912d2cf6c4

Download Submit
\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
58KB

MD5
b057575b17c8111e4c3e1bb59c511e56

SHA1
73ef3e3909ffe4cd1e38b3455a95200fe48b413e

SHA256
5d2999757eda71c5dcc9bf864ff0931768cbaa1eaf32cc867063836a7ae8f1cc

SHA512
2718e45d748ff81e6173bc669d487838dd069b989145800b8b5b37fcb100f010a92592219a660eb1a6cefb0444785483e8dacbf2ef6e29972c09fee0fff9ab5f

Download Submit
\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
19KB

MD5
ed8d1a57987618d68e85aedd18ea7c60

SHA1
2264d72a146e481a400a899b81c17a52530c5d0a

SHA256
4c8c5336336a50b79c31fadf879b3d25972166c8601ce2ff2e3b68640995cfb8

SHA512
57df3ce12b98329572d23151c962ab569bea7679ea7a1eecddb3fc235b93602d55ebeafd4c97712541fcaab68c67de0c9e12b8333023d44db0661c7bd41118d0

Download Submit
\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
126KB

MD5
5126a1981200a37797bffac017ba9d0d

SHA1
5d185f8392e6a032e51ef5fd906ddc27e50ea441

SHA256
561816e947d8e688116760a20dd166266507fb18235191e408835faab78ab610

SHA512
cc06bb99d3415f15f9dac6f6c11b0c333418760acc2907b8a8e634c98e2191f1df6ff1eaa20c85bc4017e807026131862e977cc6bab4cef086d7ce6fb8f69487

Download Submit
\Users\Admin\AppData\Roaming\Identities\24M.exe
Filesize
26KB

MD5
d1c54fd6a198f7f20fc1d1f1d752c8f9

SHA1
c495e42943f34fa44b4569ac707f935ca6854ccc

SHA256
073185284671ea0a7858b0481776dd5d4379cb174ec899b5d19c547e65042643

SHA512
2b7398af3fdec6385ec90d96fa44bfff73d5081459d6cb600974cb20ba4d1da68c98b50174ac64e20107718379e52fe225cda399f569985517535135ec41aa72

Download Submit
memory/240-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1128-0-0x0000000000880000-0x0000000000912000-memory.dmp

Filesize
584KB

Download
memory/1128-15-0x0000000000DE0000-0x0000000000E1D000-memory.dmp

Filesize
244KB

Download
memory/1128-10-0x0000000000DE0000-0x0000000000E1D000-memory.dmp

Filesize
244KB

Download