marsstealer | 3c832729574cc265b686cd3b77b86739bb1d65562b3f09b66798e73f718d5ec0

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google Web Designer.exe
Size

606KB
MD5

0e77b4b765c41d8453e488b69f7256c2
SHA1

2d3e3de822ddbd093bdd0d874c82a1a3eefbe3ff
SHA256

3c832729574cc265b686cd3b77b86739bb1d65562b3f09b66798e73f718d5ec0
SHA512

01da6e84a4d5759ef1d9dfa3531f4bd5bc63aea53494dae119f8eb51eac4452b72314f401e1d5eb75b4a11f30f120890ded5acc33d32ef434e9c634a3db91de9
SSDEEP

12288:3Gmm2a914hG/JDHoUtu9bD+y3QPMB9JFuEJdFF0d4sjJLf8id+TwqU6QEx67U0kE:Wm21cQ62lrPU0kw

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Google Web Designer.exe

Executes dropped EXE 1 IoCs

pid	Process
1968	20IAH2F3TAQ15P.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 1968	436	Google Web Designer.exe	85
PID 436 wrote to memory of 1968	436	Google Web Designer.exe	85
PID 436 wrote to memory of 1968	436	Google Web Designer.exe	85

C:\Users\Admin\AppData\Local\Temp\Google Web Designer.exe
"C:\Users\Admin\AppData\Local\Temp\Google Web Designer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:436
- C:\ProgramData\20IAH2F3TAQ15P.exe
  "C:\ProgramData\20IAH2F3TAQ15P.exe"
  2⤵
  - Executes dropped EXE
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\20IAH2F3TAQ15P.exe

Filesize
159KB

MD5
0820b1d34fb9c3ea2831e889d8e1d477

SHA1
21f55497fec08821cfa22ffc9f8c2afa08cfa11a

SHA256
4f16c358a21341ad3fb5a46dc87e1cedb74759373ef97df755b8660ff1e6211c

SHA512
8ce4fd4dfb033100982865c11a496a9645427dfb031e31a376c48a74440d342b4b13349f701d3bf2deedd37e29069da9fe36f65fb788510e9b002d388fa95b03

Download Submit
memory/436-0-0x0000000000620000-0x00000000006BC000-memory.dmp

Filesize
624KB

Download
memory/436-1-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/436-2-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/436-13-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/1968-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download