Analysis
-
max time kernel
146s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 08:17
Static task
static1
Behavioral task
behavioral1
Sample
Filezilla PRO 5.8.9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Filezilla PRO 5.8.9.exe
Resource
win10v2004-20231215-en
General
-
Target
Filezilla PRO 5.8.9.exe
-
Size
4.8MB
-
MD5
728faf303a62367c95e1df37507dc534
-
SHA1
c61f2283df9f685088cae6d1c91607a062d5ebe1
-
SHA256
ab2fdb8fe3e03ff69dbe25eb27d128a45c3975680df60ea982bfd9d48c1f8b6f
-
SHA512
4903e0ebc4577e145e1fc2fc8c1f0c91c75f3c6e097588bcf92f537cc889a9ddaff5b51a9995ed5f6c31d19cfecf9b5555b5b28fd7d995a68952c9a45915562f
-
SSDEEP
12288:uwXZ2Tv93L6VRtfGm0pRfhYOddQIHjAUAVHaas/V:r/O9DmVs/
Malware Config
Extracted
marsstealer
Default
www.moscow-post.ru/bark/wpadmin/admin.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Filezilla PRO 5.8.9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation Filezilla PRO 5.8.9.exe -
Executes dropped EXE 1 IoCs
Processes:
IUX3XI.exepid process 1484 IUX3XI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5056 1484 WerFault.exe IUX3XI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Filezilla PRO 5.8.9.exedescription pid process target process PID 2760 wrote to memory of 1484 2760 Filezilla PRO 5.8.9.exe IUX3XI.exe PID 2760 wrote to memory of 1484 2760 Filezilla PRO 5.8.9.exe IUX3XI.exe PID 2760 wrote to memory of 1484 2760 Filezilla PRO 5.8.9.exe IUX3XI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Filezilla PRO 5.8.9.exe"C:\Users\Admin\AppData\Local\Temp\Filezilla PRO 5.8.9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IUX3XI.exe"C:\Users\Admin\AppData\Local\Temp\IUX3XI.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 14043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1484 -ip 14841⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IUX3XI.exeFilesize
159KB
MD5819c551927718d673578c5b01b4a5a2d
SHA1e8b0b90c9f9b1a9ccbd09a130c794e0f1da8bf8d
SHA2560a46d7b18a991e024f6bfa58f652b4cda4bdda11cdfe13980ef96d4711beecca
SHA512dc5bfc3c8a40a93dc90ed44044642f7d8c43a2ddfbb644d5078db63493f02400a69629a3f9f0351646fd71b83e42938b310eb093edcc58e0044ead029dc23738
-
C:\Users\Admin\AppData\Local\Temp\IUX3XI.exeFilesize
126KB
MD58f677ca821d079b9a4db05c6e98bbe14
SHA10ea96f22af8de0bed6ecfceee0f5bd1c7621f2a2
SHA256cec0aeb4ca6843037c2d74cc4ecaf525e21275eaad1875bd339e0485c349c47e
SHA5120a8a78cdced77e99849a4264397235f3f33f8a1463bf5c23b5fa1e6ae6798666621f134dd546a1ec34060113380890522d2adca60b4a68e955148e19709aec86
-
memory/1484-12-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1484-15-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2760-1-0x0000000074B70000-0x0000000075320000-memory.dmpFilesize
7.7MB
-
memory/2760-0-0x00000000000C0000-0x0000000000154000-memory.dmpFilesize
592KB
-
memory/2760-2-0x0000000004AC0000-0x0000000004AD0000-memory.dmpFilesize
64KB
-
memory/2760-13-0x0000000074B70000-0x0000000075320000-memory.dmpFilesize
7.7MB