Analysis
-
max time kernel
47s -
max time network
27s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 07:07
Static task
static1
Behavioral task
behavioral1
Sample
shellgpt4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
shellgpt4.exe
Resource
win10v2004-20231215-en
General
-
Target
shellgpt4.exe
-
Size
4.0MB
-
MD5
c62f737ce988b95d667ccfebcfcab323
-
SHA1
d5a5f8aca605097e98163dd3163c9519fe2d5b7d
-
SHA256
9fba2c6f51319bc7585cd88948dfe4198a73a95d460d20f7c4ce54f892f84256
-
SHA512
d6fb67ffec3b2e1d0add413f715b6b27ae9c0c887f05a770e3e15984d11058796ebcdcc9840818f9484990ebfb75e8fef928d1f6812eef3e24cbbce70e86f977
-
SSDEEP
12288:fLplFN+msYJ2nCuWyEHx7YsvTZq7FUEpJBC:HC9WtZM
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
XTFJI3.exepid process 2192 XTFJI3.exe -
Loads dropped DLL 5 IoCs
Processes:
shellgpt4.exeWerFault.exepid process 1052 shellgpt4.exe 1052 shellgpt4.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2748 2192 WerFault.exe XTFJI3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
shellgpt4.exeXTFJI3.exedescription pid process target process PID 1052 wrote to memory of 2192 1052 shellgpt4.exe XTFJI3.exe PID 1052 wrote to memory of 2192 1052 shellgpt4.exe XTFJI3.exe PID 1052 wrote to memory of 2192 1052 shellgpt4.exe XTFJI3.exe PID 1052 wrote to memory of 2192 1052 shellgpt4.exe XTFJI3.exe PID 2192 wrote to memory of 2748 2192 XTFJI3.exe WerFault.exe PID 2192 wrote to memory of 2748 2192 XTFJI3.exe WerFault.exe PID 2192 wrote to memory of 2748 2192 XTFJI3.exe WerFault.exe PID 2192 wrote to memory of 2748 2192 XTFJI3.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shellgpt4.exe"C:\Users\Admin\AppData\Local\Temp\shellgpt4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XTFJI3.exe"C:\Users\Admin\AppData\Local\Temp\XTFJI3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 7763⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XTFJI3.exeFilesize
93KB
MD5fbfd5c353f3916905974cc6d0016bc4e
SHA116389c418d9956e944e0a8d7a6ee19e430f47855
SHA2562742297eee87a17fad114cea10cf2208224bba9422f8a6e07b590947a738bea8
SHA5124cba5761823879856d7cd9d4fe2099c0b00dfdad7480fbe126107e99bb187810a047f55d4f77b0fae63ceb5ec4ca78c8f9c9d696ce583d2c97f879a9df6b41a4
-
\Users\Admin\AppData\Local\Temp\XTFJI3.exeFilesize
159KB
MD5cb931b2b653c327a20844180e26675de
SHA13e9186e83b682a167d12acb556b544a029059d80
SHA256d638138809368db6e11149bddef9b835063c26f4b7d657ef1f8da7aec2042d63
SHA5129c68708ee543199b9d8ed809d69e4394fad5dfdcb324e70b9c2559985dffa3d487d0b8d98af647d871bce1ed47617b7e588f78fc2778641dd461e5dc7a442f32
-
memory/1052-0-0x00000000000F0000-0x0000000000190000-memory.dmpFilesize
640KB
-
memory/1052-1-0x0000000074270000-0x000000007495E000-memory.dmpFilesize
6.9MB
-
memory/1052-2-0x00000000004E0000-0x0000000000520000-memory.dmpFilesize
256KB
-
memory/1052-13-0x0000000074270000-0x000000007495E000-memory.dmpFilesize
6.9MB
-
memory/2192-12-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB