marsstealer | bfac17bf9afcd4c29cf1ec35afea82c57aaa0507528b61dd1ee0e2e272512e19

Analysis

max time kernel
93s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ea66c4bb51415da1cd18fb935dbf3f5e8cf671310b9fa9a1f847fdcb6cc46b1.exe
Size

6.8MB
MD5

9df2be3860081eb963d028592fb998f6
SHA1

9e93f1f4201ceba6cf7346856acda50fe50bed15
SHA256

0ea66c4bb51415da1cd18fb935dbf3f5e8cf671310b9fa9a1f847fdcb6cc46b1
SHA512

a3bee2c1825fae431c8a3d547cfbf927628a5ef9f7570ffa277c72bc4368dbebc3ae9a3b3af6401e85c70d62d91bd58524030f75ccaabb080ea2b75ea663a936
SSDEEP

12288:StZqbqjCnunwzLipJX3MJxOWM+XnYd3RrnADA+uom/YeBL:StDwUJ8SpoE/YeBL

Score

10^/10

marsstealer default spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

kenesrakishev.net/wp-includes/pomo/po.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ea66c4bb51415da1cd18fb935dbf3f5e8cf671310b9fa9a1f847fdcb6cc46b1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	0ea66c4bb51415da1cd18fb935dbf3f5e8cf671310b9fa9a1f847fdcb6cc46b1.exe

Executes dropped EXE 1 IoCs

Processes:

2.exe

pid process

2944 2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2488 2944 WerFault.exe 2.exe

pid	process
2944	2.exe

pid	pid_target	process	target process
2488	2944	WerFault.exe	2.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0ea66c4bb51415da1cd18fb935dbf3f5e8cf671310b9fa9a1f847fdcb6cc46b1.exe

description	pid	process	target process
PID 4256 wrote to memory of 2944	4256	0ea66c4bb51415da1cd18fb935dbf3f5e8cf671310b9fa9a1f847fdcb6cc46b1.exe	2.exe
PID 4256 wrote to memory of 2944	4256	0ea66c4bb51415da1cd18fb935dbf3f5e8cf671310b9fa9a1f847fdcb6cc46b1.exe	2.exe
PID 4256 wrote to memory of 2944	4256	0ea66c4bb51415da1cd18fb935dbf3f5e8cf671310b9fa9a1f847fdcb6cc46b1.exe	2.exe

C:\Users\Admin\AppData\Local\Temp\0ea66c4bb51415da1cd18fb935dbf3f5e8cf671310b9fa9a1f847fdcb6cc46b1.exe
"C:\Users\Admin\AppData\Local\Temp\0ea66c4bb51415da1cd18fb935dbf3f5e8cf671310b9fa9a1f847fdcb6cc46b1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4256
- C:\ProgramData\2.exe
  "C:\ProgramData\2.exe"
  2⤵
  - Executes dropped EXE
  PID:2944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1776
    3⤵
    - Program crash
    PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2944 -ip 2944
1⤵
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2.exe

Filesize
159KB

MD5
ad89890757c177d7d05e2fbea0547772

SHA1
da871536caff869ea4a35f351b2fb90c6645b555

SHA256
1109fc5e54190e0b50cdc3c455af86887566968cdfb6df59c2bfb566ddb295af

SHA512
829584a81473350e2ace4a9ca1f25e3b63e2f7d376e0ff30846f97c91d805df35ff251431956d932d16f60e42846702ae8e53dea6f4bf2175d860983008eed49

Download Submit
memory/2944-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2944-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4256-1-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4256-0-0x0000000000A30000-0x0000000000AC8000-memory.dmp

Filesize
608KB

Download
memory/4256-2-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/4256-13-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download