Overview

overview

10

Static

static

3

71ea59cbed...78.exe

windows7-x64

10

71ea59cbed...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03-01-2024 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71ea59cbedf3c80b6e47bcd746463de8d82b650e0666183a3bd47bf1b2633378.exe

  • Size

    11.5MB

  • MD5

    9386af6fd41ad96b318f63b35ba418c7

  • SHA1

    68763a50793e358faf7d089ebd27febdd07e3b77

  • SHA256

    71ea59cbedf3c80b6e47bcd746463de8d82b650e0666183a3bd47bf1b2633378

  • SHA512

    9344b70e176d9a892f22c5d192a714c19ec2beb6c6d997e72cc2fd8c7103cfeaa670e6f2fd234834ad18647dfbe9b31e12b49156821abf8391236a62261434f8

  • SSDEEP

    12288:ytaCEOf6hozmO1LhZU2Pn5zvWKr5zaVTxOWQxBH+QWLoRrW4LbMQbKjVa:trOi70kLej

Score
10/10
marsstealerdefaultspywarestealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

  • Mars Stealer

    An infostealer written in C++ based on other infostealers.

    stealermarsstealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71ea59cbedf3c80b6e47bcd746463de8d82b650e0666183a3bd47bf1b2633378.exe
    "C:\Users\Admin\AppData\Local\Temp\71ea59cbedf3c80b6e47bcd746463de8d82b650e0666183a3bd47bf1b2633378.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Users\Admin\AppData\Roaming\Mozilla\JP9H88KBRD7DM.exe
      "C:\Users\Admin\AppData\Roaming\Mozilla\JP9H88KBRD7DM.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 812
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Mozilla\JP9H88KBRD7DM.exe
    Filesize

    92KB

    MD5

    0f482c362072a91492ce828e92060c64

    SHA1

    073c6c7b9a22794776c2b9a81c3f1c31920f074a

    SHA256

    b631466c4c6ec6f4958cbe990714ee0881f3423e0df3cbe63b6826af7af78148

    SHA512

    bceb0b81f8960096ce04860e45bd04fa3023d4228c57ed506be8bcd90c55796b78edb25efa2a9a463b43167f90dba54105847cc7729820b3d314893855005f31

    Download Submit
  • \Users\Admin\AppData\Roaming\Mozilla\JP9H88KBRD7DM.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/1080-14-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/2436-0-0x0000000001190000-0x0000000001206000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2436-1-0x0000000074530000-0x0000000074C1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2436-2-0x0000000004AB0000-0x0000000004AF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2436-15-0x0000000074530000-0x0000000074C1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2436-13-0x0000000000A60000-0x0000000000A9D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/2436-11-0x0000000000A60000-0x0000000000A9D000-memory.dmp
    Filesize

    244KB

    Download