Analysis
-
max time kernel
122s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 08:17
Static task
static1
Behavioral task
behavioral1
Sample
Filezilla PRO 5.8.9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Filezilla PRO 5.8.9.exe
Resource
win10v2004-20231215-en
General
-
Target
Filezilla PRO 5.8.9.exe
-
Size
4.8MB
-
MD5
728faf303a62367c95e1df37507dc534
-
SHA1
c61f2283df9f685088cae6d1c91607a062d5ebe1
-
SHA256
ab2fdb8fe3e03ff69dbe25eb27d128a45c3975680df60ea982bfd9d48c1f8b6f
-
SHA512
4903e0ebc4577e145e1fc2fc8c1f0c91c75f3c6e097588bcf92f537cc889a9ddaff5b51a9995ed5f6c31d19cfecf9b5555b5b28fd7d995a68952c9a45915562f
-
SSDEEP
12288:uwXZ2Tv93L6VRtfGm0pRfhYOddQIHjAUAVHaas/V:r/O9DmVs/
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
DNYVCTJ357T5G4.exepid process 3064 DNYVCTJ357T5G4.exe -
Loads dropped DLL 5 IoCs
Processes:
Filezilla PRO 5.8.9.exeWerFault.exepid process 3036 Filezilla PRO 5.8.9.exe 3036 Filezilla PRO 5.8.9.exe 2892 WerFault.exe 2892 WerFault.exe 2892 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2892 3064 WerFault.exe DNYVCTJ357T5G4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Filezilla PRO 5.8.9.exeDNYVCTJ357T5G4.exedescription pid process target process PID 3036 wrote to memory of 3064 3036 Filezilla PRO 5.8.9.exe DNYVCTJ357T5G4.exe PID 3036 wrote to memory of 3064 3036 Filezilla PRO 5.8.9.exe DNYVCTJ357T5G4.exe PID 3036 wrote to memory of 3064 3036 Filezilla PRO 5.8.9.exe DNYVCTJ357T5G4.exe PID 3036 wrote to memory of 3064 3036 Filezilla PRO 5.8.9.exe DNYVCTJ357T5G4.exe PID 3064 wrote to memory of 2892 3064 DNYVCTJ357T5G4.exe WerFault.exe PID 3064 wrote to memory of 2892 3064 DNYVCTJ357T5G4.exe WerFault.exe PID 3064 wrote to memory of 2892 3064 DNYVCTJ357T5G4.exe WerFault.exe PID 3064 wrote to memory of 2892 3064 DNYVCTJ357T5G4.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Filezilla PRO 5.8.9.exe"C:\Users\Admin\AppData\Local\Temp\Filezilla PRO 5.8.9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DNYVCTJ357T5G4.exe"C:\Users\Admin\AppData\Local\Temp\DNYVCTJ357T5G4.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 7323⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\DNYVCTJ357T5G4.exeFilesize
159KB
MD5819c551927718d673578c5b01b4a5a2d
SHA1e8b0b90c9f9b1a9ccbd09a130c794e0f1da8bf8d
SHA2560a46d7b18a991e024f6bfa58f652b4cda4bdda11cdfe13980ef96d4711beecca
SHA512dc5bfc3c8a40a93dc90ed44044642f7d8c43a2ddfbb644d5078db63493f02400a69629a3f9f0351646fd71b83e42938b310eb093edcc58e0044ead029dc23738
-
memory/3036-0-0x0000000000F80000-0x0000000001014000-memory.dmpFilesize
592KB
-
memory/3036-1-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB
-
memory/3036-2-0x00000000047E0000-0x0000000004820000-memory.dmpFilesize
256KB
-
memory/3036-11-0x0000000000B80000-0x0000000000BBD000-memory.dmpFilesize
244KB
-
memory/3036-13-0x0000000000B80000-0x0000000000BBD000-memory.dmpFilesize
244KB
-
memory/3036-15-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB
-
memory/3064-14-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB