marsstealer | 9fba2c6f51319bc7585cd88948dfe4198a73a95d460d20f7c4ce54f892f84256

Analysis

max time kernel
0s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ShellGPT4.exe
Size

4.0MB
MD5

c62f737ce988b95d667ccfebcfcab323
SHA1

d5a5f8aca605097e98163dd3163c9519fe2d5b7d
SHA256

9fba2c6f51319bc7585cd88948dfe4198a73a95d460d20f7c4ce54f892f84256
SHA512

d6fb67ffec3b2e1d0add413f715b6b27ae9c0c887f05a770e3e15984d11058796ebcdcc9840818f9484990ebfb75e8fef928d1f6812eef3e24cbbce70e86f977
SSDEEP

12288:fLplFN+msYJ2nCuWyEHx7YsvTZq7FUEpJBC:HC9WtZM

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

www.moscow-post.ru/bark/wpadmin/admin.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3260 4160 WerFault.exe 5F.exe

pid	pid_target	process	target process
3260	4160	WerFault.exe	5F.exe

C:\Users\Admin\AppData\Local\Temp\ShellGPT4.exe
"C:\Users\Admin\AppData\Local\Temp\ShellGPT4.exe"
1⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\5F.exe
"C:\Users\Admin\AppData\Local\Temp\5F.exe"
2⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1368
3⤵
- Program crash
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4160 -ip 4160
1⤵
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F.exe
Filesize
1KB

MD5
d8269e266b1ab36676e4be1ad139de21

SHA1
67d26239b7a9499f43bc1a3ec58bcce6a68778d2

SHA256
fca0b9aa3fd503ce703d0f3cd342555cc86a0650586850feba5bef89496f2d96

SHA512
9fafe62e1b86af4e0a12bffb1d3372ea637a53cf4221ebd867fb91a86cd1a18db64d22707798096873fa0d8aee84fb69703b41c6336ba6bb827391d74ed97776

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F.exe
Filesize
18KB

MD5
c88db39ac0652a6c66b40c5dce98c0b5

SHA1
0719b4bcc0b0af154b958304e0021e420eff755f

SHA256
fbe514cb61fa2030221cfd654447e0e06ebb72aa6f16398fd65b3d4570d959e6

SHA512
98cf10b1fa78d7b9db322498f005fe98cbd189209cb86b8ba1a206e0b07beb18395e6b5cc046d860732bcb0c51c83e0fc77c529ef2cdae20a43ff92ac62c3639

Download Submit
memory/4160-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4160-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4500-1-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/4500-0-0x00000000005A0000-0x0000000000640000-memory.dmp

Filesize
640KB

Download
memory/4500-2-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4500-13-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download