marsstealer | d269a5c94272ec07cea72bcf2fb277671661bd79f485067c8ba20d91435979e2

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-12-2023 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe
Size

5.7MB
MD5

efe42e097392ba07bdbc1b30ed12f46f
SHA1

6e67c0ce64661b8f12c453d182fadcf9b81225b8
SHA256

9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af
SHA512

87147c5b0a5016d5a6f36e980cf294880a78ca3b3491ca1e90bd5664f3d6405da4259ae486544f7b355cf6e29eeb80273336b9f2fbb5928730eda3584b8a1005
SSDEEP

12288:MPZV/cS4H8+Gc8DWKwJa8JdrBoyvCRH96m2iii2Tc:MRV2iWih

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

F1E8.exe

pid process

2192 F1E8.exe

pid	process
2192	F1E8.exe

Loads dropped DLL 5 IoCs

Processes:

9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exeWerFault.exe

pid	process
1764	9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe
1764	9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2916 2192 WerFault.exe F1E8.exe

pid	pid_target	process	target process
2916	2192	WerFault.exe	F1E8.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exeF1E8.exe

description	pid	process	target process
PID 1764 wrote to memory of 2192	1764	9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe	F1E8.exe
PID 1764 wrote to memory of 2192	1764	9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe	F1E8.exe
PID 1764 wrote to memory of 2192	1764	9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe	F1E8.exe
PID 1764 wrote to memory of 2192	1764	9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe	F1E8.exe
PID 2192 wrote to memory of 2916	2192	F1E8.exe	WerFault.exe
PID 2192 wrote to memory of 2916	2192	F1E8.exe	WerFault.exe
PID 2192 wrote to memory of 2916	2192	F1E8.exe	WerFault.exe
PID 2192 wrote to memory of 2916	2192	F1E8.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe
"C:\Users\Admin\AppData\Local\Temp\9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Roaming\Identities\F1E8.exe
"C:\Users\Admin\AppData\Roaming\Identities\F1E8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 640
3⤵
- Loads dropped DLL
- Program crash
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Identities\F1E8.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Identities\F1E8.exe
Filesize
98KB

MD5
13fe248a6a838a7a4161371922bd0f1c

SHA1
1fda5b3ec65694dea011c36142ffe758460fa6ff

SHA256
fbb62da950f9360bbba0be9d0c69d5589a32a804ba1cab6be48b2385a3df40ce

SHA512
bdd468354399154d57df93aeb853fe200b2632fb6255e86af3dd0ecbae5848caf1b428f6e68330280ca88134e075e7ccabe063ff5575411d83dd29f246a9650b

Download Submit
\Users\Admin\AppData\Roaming\Identities\F1E8.exe
Filesize
159KB

MD5
ccbede8d2869535347316a479f0b8095

SHA1
1dd0e7574972260c77ca90638950d83c7b00d8f2

SHA256
afae663cab910a67e7fb519797ff385926b77ee59fa0e96e1853318146d2e179

SHA512
9a0de846ced51215948a16300aec8aeb7cf0ef5c0005a3cb661fc27e85b5d25b3b3278e7c91fbedc9d0a1ec686fdcd8ff07f35b39931a7c28c8b2139dabf4456

Download Submit
memory/1764-0-0x0000000000330000-0x00000000003A4000-memory.dmp

Filesize
464KB

Download
memory/1764-1-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1764-2-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/1764-12-0x00000000005C0000-0x00000000005FD000-memory.dmp

Filesize
244KB

Download
memory/1764-15-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1764-7-0x00000000005C0000-0x00000000005FD000-memory.dmp

Filesize
244KB

Download
memory/2192-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download