marsstealer | 3e69bbd95df10d650c74524c6822299a3516d97f5040bea67addab837c3211f5

Analysis

max time kernel
139s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cyber Hunter Install.exe
Size

4.9MB
MD5

f836f277cbcadfecfc988bf350d410c3
SHA1

f9a66d7876a6eb09763e0705beaa999d99f53754
SHA256

d38bc9871b0eba08a6b77314a6d3fdc94531315c2659ea60d8d23b4450ed3838
SHA512

ac284e90bf72d564ceaeda28383efc8793f286002d2d7ae37f08f05a9170faa5f77a8e741cb60fabb1f48f9abc769070fc3620fa9c5d7dfce60029b6d58c8280
SSDEEP

12288:D6BeSpuojQEv1E729k4nRQ/ceb5WdWOeoP3/F+2nGr6A5zuzhGlC5LcB+cVgeMtb:E0yLW2mudcocIE

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

moscow-post.com/xaoniu/server/waungowangued/g.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cyber Hunter Install.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	Cyber Hunter Install.exe

Executes dropped EXE 1 IoCs

Processes:

BYN8.exe

pid process

3004 BYN8.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4584 3004 WerFault.exe BYN8.exe

pid	process
3004	BYN8.exe

pid	pid_target	process	target process
4584	3004	WerFault.exe	BYN8.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Cyber Hunter Install.exe

description	pid	process	target process
PID 5048 wrote to memory of 3004	5048	Cyber Hunter Install.exe	BYN8.exe
PID 5048 wrote to memory of 3004	5048	Cyber Hunter Install.exe	BYN8.exe
PID 5048 wrote to memory of 3004	5048	Cyber Hunter Install.exe	BYN8.exe

C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe
"C:\Users\Admin\AppData\Local\Temp\Cyber Hunter Install.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Roaming\Microsoft\BYN8.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BYN8.exe"
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 1408
3⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3004 -ip 3004
1⤵
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\BYN8.exe
Filesize
159KB

MD5
1f51c4bdd8bd5b81fe2638ffa85fd5d2

SHA1
43146ce6867ba788dc50ddfe1d9ec4d89aafd859

SHA256
e7dcfe91d1f3c1b1d33b8f7eae174999b04faec7825474baf846aaa408d97c38

SHA512
7f0d34c1ccf39cb0c5600507b2b00185e097a6423cc622b66659cd46aef6bb55b6a5806971a816eab3f990b8099cdc9a606cacab49a1f6bd002fcf9a2964ca98

Download Submit
memory/3004-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3004-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5048-0-0x0000000000600000-0x0000000000692000-memory.dmp

Filesize
584KB

Download
memory/5048-1-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-12-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download