marsstealer | 319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39

General

Target

319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe
Size

159KB
MD5

538cc587125f738ae81e2e4fe28c0084
SHA1

7aa3c65496b968c3641b7d7db1849ad4715053d6
SHA256

319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39
SHA512

770eafcaa7ede802b61d6483fad9a4eff6161867c5d7f78b4ee2dfd01002425b56c09c52dea495b3b43b80f6ecfb966dedf79a08e0316f018b1cde929524bf2b
SSDEEP

3072:UP2iydi+7Jtzet46rSIskyH39vIe3EZ8CbsZEE6tLJSp8Bb8EG:edIfzetJFyXRlCbeV6tH8EG

Score

10^/10

marsstealer default discovery spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

C2

couriercare.in/18/gate.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe

Loads dropped DLL 2 IoCs

Processes:

319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe

pid	process
1716	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe
1716	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4120 timeout.exe

pid	process
4120	timeout.exe

Modifies registry class 5 IoCs

Processes:

319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.execmd.exe

description	pid	process	target process
PID 1716 wrote to memory of 2388	1716	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe	cmd.exe
PID 1716 wrote to memory of 2388	1716	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe	cmd.exe
PID 1716 wrote to memory of 2388	1716	319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe	cmd.exe
PID 2388 wrote to memory of 4120	2388	cmd.exe	timeout.exe
PID 2388 wrote to memory of 4120	2388	cmd.exe	timeout.exe
PID 2388 wrote to memory of 4120	2388	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe
"C:\Users\Admin\AppData\Local\Temp\319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\319b8b4f833b7a319dae6c6ff148d0ec75f83ac6f031678a54ab31a5ab360c39.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:5104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
31KB

MD5
64565ee40b0fd72559882a1ff3c33af2

SHA1
a6f775d4d50e10e17a64d886da71527eb91a88b8

SHA256
17a7c2e8df8ebb9db0ecdb0c1cf0301dbeb7aa5104cd1a75ec8232ae4e3d2387

SHA512
6861a56a1f857eb9fcf65e4cea3a6d92f625cfccff99bf9c770dd712a00d40af4d3b39c57822a8d948de7eec3e5b61dae59c59db1bf5c21057d580a3c17d495d

Download Submit
C:\ProgramData\nss3.dll

Filesize
132KB

MD5
afd9f178965659e68195a131201f9e48

SHA1
b76c85a05cbc9eec8ed82d54f324f05f28d203ce

SHA256
15861a2832e0727eb71f8cf825de96690f1f8358e6a77914b3d1e348d516d7ea

SHA512
1610dbb263b9eb8753b992c7457981acc2b2013725118be659f8b8fc60834c5946c676d727903852f03bd4edcaae7a2ac581c7ee1f0e4657d10ce6105c1d4009

Download Submit
memory/1716-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1716-1-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1716-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads