marsstealer | b528e70d97a3633d06626303bbf03d1544fdd659169594c61a47aa825237f847

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exe
Size

11.7MB
MD5

6c23d52006da52904f755c8268d29ffc
SHA1

8d770ad326a02692e7a223749128d402af94e1a7
SHA256

d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd
SHA512

ae64700be9120d3b4e8b1dc0a94ad4131726d72bd92433461e2af505df67e89bf1e3d62d1b47dd6b632dc087dcea5d15ddcad03fa3956379efc854d0d72bd9b3
SSDEEP

12288:Fkbo4c5w0lRq+x83dhmNml3pPw1WIzWTbel9BfrmjsN/pf7Rm:3gqbsmVBfyoN/y

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

WEGWG7QCQ9ZVL.exe

pid process

1856 WEGWG7QCQ9ZVL.exe

pid	process
1856	WEGWG7QCQ9ZVL.exe

Loads dropped DLL 5 IoCs

Processes:

d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exeWerFault.exe

pid	process
1732	d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exe
1732	d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2704 1856 WerFault.exe WEGWG7QCQ9ZVL.exe

pid	pid_target	process	target process
2704	1856	WerFault.exe	WEGWG7QCQ9ZVL.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exeWEGWG7QCQ9ZVL.exe

description	pid	process	target process
PID 1732 wrote to memory of 1856	1732	d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exe	WEGWG7QCQ9ZVL.exe
PID 1732 wrote to memory of 1856	1732	d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exe	WEGWG7QCQ9ZVL.exe
PID 1732 wrote to memory of 1856	1732	d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exe	WEGWG7QCQ9ZVL.exe
PID 1732 wrote to memory of 1856	1732	d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exe	WEGWG7QCQ9ZVL.exe
PID 1856 wrote to memory of 2704	1856	WEGWG7QCQ9ZVL.exe	WerFault.exe
PID 1856 wrote to memory of 2704	1856	WEGWG7QCQ9ZVL.exe	WerFault.exe
PID 1856 wrote to memory of 2704	1856	WEGWG7QCQ9ZVL.exe	WerFault.exe
PID 1856 wrote to memory of 2704	1856	WEGWG7QCQ9ZVL.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exe
"C:\Users\Admin\AppData\Local\Temp\d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\ProgramData\WEGWG7QCQ9ZVL.exe
"C:\ProgramData\WEGWG7QCQ9ZVL.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 824
3⤵
- Loads dropped DLL
- Program crash
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WEGWG7QCQ9ZVL.exe
Filesize
159KB

MD5
e639201bf0d332f8965649ec7de96c40

SHA1
6047898d098c27c9e24e9e21310ecd2fd6a7dc20

SHA256
fcecfe186349fb25b733b526b9259dec1bd3a3bd94a7cd5015a3b890e371f7fb

SHA512
73d010ce917f0827bb1266a1178c026aa6602675788163c38dd9d46ce9f558b855c2ad5bfd70db84e8b58deb241c64050f2dc472c532dbd2453155e569a24b45

Download Submit
C:\ProgramData\WEGWG7QCQ9ZVL.exe
Filesize
94KB

MD5
fc24ff011dae1c4c495e24961b6cb4e5

SHA1
a15ce914f56b229209596fd6ba9cdcb73af9bce2

SHA256
5f5ce50ca681ccedc43cd289f6fc4692891a4fa563e1e325b7bc3e91dbb9acfb

SHA512
de5a6e6702317937035c30ad86295e2a595a8a42d289a74d8418fe0f74764a7bc725a08f63c83f952667743ee0273bbbd2eedd937a533d395c8245bba82083d3

Download Submit
memory/1732-1-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-0-0x00000000008E0000-0x000000000098A000-memory.dmp

Filesize
680KB

Download
memory/1732-2-0x0000000004D40000-0x0000000004D80000-memory.dmp

Filesize
256KB

Download
memory/1732-13-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-12-0x0000000001EB0000-0x0000000001EED000-memory.dmp

Filesize
244KB

Download
memory/1856-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download