Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 07:07
Static task
static1
Behavioral task
behavioral1
Sample
shellgpt4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
shellgpt4.exe
Resource
win10v2004-20231215-en
General
-
Target
shellgpt4.exe
-
Size
4.0MB
-
MD5
c62f737ce988b95d667ccfebcfcab323
-
SHA1
d5a5f8aca605097e98163dd3163c9519fe2d5b7d
-
SHA256
9fba2c6f51319bc7585cd88948dfe4198a73a95d460d20f7c4ce54f892f84256
-
SHA512
d6fb67ffec3b2e1d0add413f715b6b27ae9c0c887f05a770e3e15984d11058796ebcdcc9840818f9484990ebfb75e8fef928d1f6812eef3e24cbbce70e86f977
-
SSDEEP
12288:fLplFN+msYJ2nCuWyEHx7YsvTZq7FUEpJBC:HC9WtZM
Malware Config
Extracted
marsstealer
Default
www.moscow-post.ru/bark/wpadmin/admin.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
shellgpt4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation shellgpt4.exe -
Executes dropped EXE 1 IoCs
Processes:
XN2FOK.exepid process 1804 XN2FOK.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1736 1804 WerFault.exe XN2FOK.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
shellgpt4.exedescription pid process target process PID 748 wrote to memory of 1804 748 shellgpt4.exe XN2FOK.exe PID 748 wrote to memory of 1804 748 shellgpt4.exe XN2FOK.exe PID 748 wrote to memory of 1804 748 shellgpt4.exe XN2FOK.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shellgpt4.exe"C:\Users\Admin\AppData\Local\Temp\shellgpt4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XN2FOK.exe"C:\Users\Admin\AppData\Local\Temp\XN2FOK.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 13803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1804 -ip 18041⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XN2FOK.exeFilesize
159KB
MD5cb931b2b653c327a20844180e26675de
SHA13e9186e83b682a167d12acb556b544a029059d80
SHA256d638138809368db6e11149bddef9b835063c26f4b7d657ef1f8da7aec2042d63
SHA5129c68708ee543199b9d8ed809d69e4394fad5dfdcb324e70b9c2559985dffa3d487d0b8d98af647d871bce1ed47617b7e588f78fc2778641dd461e5dc7a442f32
-
memory/748-0-0x0000000000F50000-0x0000000000FF0000-memory.dmpFilesize
640KB
-
memory/748-1-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/748-2-0x0000000005A30000-0x0000000005A40000-memory.dmpFilesize
64KB
-
memory/748-13-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/1804-12-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1804-15-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB