marsstealer | b7737850b4f9843c60a23ca39b81fecdb60a04fbcd5839326f854f0a092f95c5

General

Target

Gammadyne Mailer.exe
Size

668KB
MD5

1ff8f5b71d19c4faffa31dfdc21fd263
SHA1

cb42386f7fd958812ffcfff9b0c107158eca5994
SHA256

b7737850b4f9843c60a23ca39b81fecdb60a04fbcd5839326f854f0a092f95c5
SHA512

74a1e83bc9a03ffadf78c18a7bb056724c17b6dce3e85ed214282ca38adb47d52a3f8c48c82a1b9c25014c7739f4dcd18faf3a6b81bf90247f6d3086d16698fa
SSDEEP

12288:jkZbvRx3JGXdvLI/tt5AzzCRlr+RGc6xyArqg5GnD8LVduHRvBHnVr7MHWrgcli7:xRWy68/ghD7q

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

TK.exe

pid process

2208 TK.exe
Loads dropped DLL 2 IoCs

Processes:

Gammadyne Mailer.exe

pid process

2868 Gammadyne Mailer.exe
2868 Gammadyne Mailer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2208	TK.exe

pid	process
2868	Gammadyne Mailer.exe
2868	Gammadyne Mailer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

TK.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	TK.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	TK.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Gammadyne Mailer.exe

description	pid	process	target process
PID 2868 wrote to memory of 2208	2868	Gammadyne Mailer.exe	TK.exe
PID 2868 wrote to memory of 2208	2868	Gammadyne Mailer.exe	TK.exe
PID 2868 wrote to memory of 2208	2868	Gammadyne Mailer.exe	TK.exe
PID 2868 wrote to memory of 2208	2868	Gammadyne Mailer.exe	TK.exe

C:\Users\Admin\AppData\Local\Temp\Gammadyne Mailer.exe
"C:\Users\Admin\AppData\Local\Temp\Gammadyne Mailer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\TK.exe
"C:\Users\Admin\AppData\Local\Temp\TK.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\TK.exe
Filesize
159KB

MD5
92302995a9204718c11d721b3b8b3edd

SHA1
f018ecd683ba6cb7e3aa075b4eb92c1ba4b8a2a9

SHA256
8a09643eaff0b5e8fb553b92282ec01baa9c9f6a2990ae7f7cdb11db6216b098

SHA512
f862bd8f745ec016a63de3d59e31a97186229244c851c38a4b5abfab32535b3817f35afdcd0b082c4ff4de1e64d9f44c83f9daec212ec7c8614c59dec97598e5

Download Submit
memory/2208-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2868-1-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-0-0x0000000000EA0000-0x0000000000F4C000-memory.dmp

Filesize
688KB

Download
memory/2868-2-0x0000000000DC0000-0x0000000000E00000-memory.dmp

Filesize
256KB

Download
memory/2868-12-0x0000000000620000-0x000000000065D000-memory.dmp

Filesize
244KB

Download
memory/2868-13-0x0000000000620000-0x000000000065D000-memory.dmp

Filesize
244KB

Download
memory/2868-15-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing