marsstealer | 9fba2c6f51319bc7585cd88948dfe4198a73a95d460d20f7c4ce54f892f84256

General

Target

ShellGPT4.exe
Size

4.0MB
MD5

c62f737ce988b95d667ccfebcfcab323
SHA1

d5a5f8aca605097e98163dd3163c9519fe2d5b7d
SHA256

9fba2c6f51319bc7585cd88948dfe4198a73a95d460d20f7c4ce54f892f84256
SHA512

d6fb67ffec3b2e1d0add413f715b6b27ae9c0c887f05a770e3e15984d11058796ebcdcc9840818f9484990ebfb75e8fef928d1f6812eef3e24cbbce70e86f977
SSDEEP

12288:fLplFN+msYJ2nCuWyEHx7YsvTZq7FUEpJBC:HC9WtZM

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

DTQZH.exe

pid process

2380 DTQZH.exe
Loads dropped DLL 5 IoCs

Processes:

ShellGPT4.exeWerFault.exe

pid process

2920 ShellGPT4.exe
2920 ShellGPT4.exe
2628 WerFault.exe
2628 WerFault.exe
2628 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2628 2380 WerFault.exe DTQZH.exe

pid	process
2380	DTQZH.exe

pid	process
2920	ShellGPT4.exe
2920	ShellGPT4.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe

pid	pid_target	process	target process
2628	2380	WerFault.exe	DTQZH.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ShellGPT4.exeDTQZH.exe

description	pid	process	target process
PID 2920 wrote to memory of 2380	2920	ShellGPT4.exe	DTQZH.exe
PID 2920 wrote to memory of 2380	2920	ShellGPT4.exe	DTQZH.exe
PID 2920 wrote to memory of 2380	2920	ShellGPT4.exe	DTQZH.exe
PID 2920 wrote to memory of 2380	2920	ShellGPT4.exe	DTQZH.exe
PID 2380 wrote to memory of 2628	2380	DTQZH.exe	WerFault.exe
PID 2380 wrote to memory of 2628	2380	DTQZH.exe	WerFault.exe
PID 2380 wrote to memory of 2628	2380	DTQZH.exe	WerFault.exe
PID 2380 wrote to memory of 2628	2380	DTQZH.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ShellGPT4.exe
"C:\Users\Admin\AppData\Local\Temp\ShellGPT4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\DTQZH.exe
"C:\Users\Admin\AppData\Local\Temp\DTQZH.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 784
3⤵
- Loads dropped DLL
- Program crash
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DTQZH.exe
Filesize
28KB

MD5
704fa59afa114f79e418d3e2eea22fdc

SHA1
1b3a316e5a4dcecd70b6bc409fb78f67dfd0ac48

SHA256
7c2124807545a0e3865ff8f455a51fcd292ec5855a7eb54dd7b2548ce88d484d

SHA512
f3d0d05bf58fc4183c188b61cf7ce20697f0a83711ea948ab21087a1a59eb683dcad07e615a4a625d7282a652dc91a7a22b99c19d29d34e7ade4e93e348ce5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DTQZH.exe
Filesize
18KB

MD5
1d0d5729f77b8c4f59a4315fb42188a2

SHA1
d24045e73e76021e56d77d57e397b4d5506be312

SHA256
8d4cebc9776de8616167d9fc7d1bf67f3d61a0a4e7a82e455d2fed43acdfcd1d

SHA512
3164df528c18e63328985df7b896dbf4901971a45a649ba1cfedd8f887fb09825ed512adba467e1e0089869dfc16a8e0535c1583fa7ee3d54b13bf0ea951a877

Download Submit
\Users\Admin\AppData\Local\Temp\DTQZH.exe
Filesize
101KB

MD5
8155e7348f47be859b61b10046880f80

SHA1
11cafa83a0703f81707e5fc58a555aeba46a8171

SHA256
6ff25f34bf7b218dcae5f1abda83b88dffddade05e1240e89bb47c3892a52f30

SHA512
94067ca4fc31725bbd96d2982bb470251b2535d5bb34b1612d71c081cde81d6bf77d035d4b7eb8c70923882675e41a4af0d13282174655aa3344585785c8a29f

Download Submit
\Users\Admin\AppData\Local\Temp\DTQZH.exe
Filesize
73KB

MD5
96bdf13b721edda23e57f7071a1fcbb1

SHA1
1e7a1d7c01ab050477f59ec75b6f13744aa70bf1

SHA256
f80824f4fe32cc636ad99de75d321c496555d292888e372f4a8986f37ab29b70

SHA512
878b89e61aa3977d901ecf4e3d416517bbe80ed329fa221b0b92dc6bd6a919eb9b89ea904090807e2c71e3ea16bc6c17de6defdda6b73ccddee050ad693f9d86

Download Submit
\Users\Admin\AppData\Local\Temp\DTQZH.exe
Filesize
11KB

MD5
2e972f27e994e14d9d3391e98631a5a4

SHA1
36168820b7acae8411003bac1766b9f298e7fcef

SHA256
a0f22a16ed3043207b03717dd5262ec2adf1e73dcc228fae701b7ece1b13be55

SHA512
b1b250d9ab65cc23b599d056b3bfeca54218e9de5f4284c570436d01ba91701cc83c47bf83ba58676d83248c2fb9f7816d699b7123c1d006c1625220804fb97b

Download Submit
\Users\Admin\AppData\Local\Temp\DTQZH.exe
Filesize
20KB

MD5
3f035d5da7db043dc642cc4eca2d2397

SHA1
1ee9b1e3b1309164aafbb1eebb1587b75e6a0a26

SHA256
de44401e4385abf9659f0df7ccd0a76fe05677579c8a124fcf67a8fc98b11f10

SHA512
1a609b7ec29331fd50fd3d05a085ede15cda326727d3d01fe5faa72dc415c8a548a4f3c174af7041b3f6fe56626c010c6549086e340273e75c666ad2b936752f

Download Submit
\Users\Admin\AppData\Local\Temp\DTQZH.exe
Filesize
4KB

MD5
8e284e26624aa10e36159effff2e518c

SHA1
6ae11f756ccc62b0c20b62c915e699a6b40d84d6

SHA256
3ce25b93542ef1463190e75f5bdf21b062a945d55665be38453ba2eb7c0a19b0

SHA512
090f614d9a9b6379df9ca17bc47ad0e8e7534f656d5cf3a61cd2a8f58ab6a59d3281265a55fad4acd8301aa8cce758a0db8e53562d576088d53c57dc51850157

Download Submit
memory/2380-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2920-12-0x0000000000800000-0x000000000083D000-memory.dmp

Filesize
244KB

Download
memory/2920-13-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-0-0x00000000001E0000-0x0000000000280000-memory.dmp

Filesize
640KB

Download
memory/2920-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/2920-1-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing