marsstealer | e4d2abb64b06e33dbb6cb728370829dc332b4ea0affe03100b2670d386ad7038

Analysis

max time kernel
142s
max time network
142s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe
Size

619KB
MD5

ba6e7e1e9161199cda53984e8797add7
SHA1

c4ad796a18ffab0ef5f7df1a0db302114a4826d1
SHA256

32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775
SHA512

7cda7fc206a871949955bdc5dba5f0d53673b637d5a48c42be2095b461b83a5916c43e4037eb77c353cf01838c860f3ab31ce8f5b38631088578de107eba9b66
SSDEEP

12288:K5XTI5PwjN7SJxjHhXXBVDgIQ7JMKjK5+GbKGvOs2JCo/bSJBoFnCMX6k:KppbjjaatFKk

Score

10^/10

marsstealer default stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 1 IoCs

Processes:

M3KG4QS.exe

pid process

2556 M3KG4QS.exe

pid	process
2556	M3KG4QS.exe

Loads dropped DLL 2 IoCs

Processes:

32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe

pid	process
2872	32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe
2872	32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe

description	pid	process	target process
PID 2872 wrote to memory of 2556	2872	32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe	M3KG4QS.exe
PID 2872 wrote to memory of 2556	2872	32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe	M3KG4QS.exe
PID 2872 wrote to memory of 2556	2872	32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe	M3KG4QS.exe
PID 2872 wrote to memory of 2556	2872	32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe	M3KG4QS.exe

C:\Users\Admin\AppData\Local\Temp\32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe
"C:\Users\Admin\AppData\Local\Temp\32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\M3KG4QS.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\M3KG4QS.exe"
2⤵
- Executes dropped EXE
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\M3KG4QS.exe
Filesize
159KB

MD5
6c919bd1a5cf9a961aabade412f587cb

SHA1
5faaf4f33cb37eae2dc909d9b01c46bd9c7eb198

SHA256
dcfd1325f755080466602c7dcf44588b2e57ba7e59c47ba561d750c0f28a4be1

SHA512
de5a6e11b85ed4c5b13492f0b679f00c419a2d0f2ff06547cd385af34ae0ca3d0de614f082b2b03095e8c10bed2c304e123a2ad4ee56d687aeb5ebbab5399967

Download Submit
memory/2556-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2872-0-0x0000000000E00000-0x0000000000EA0000-memory.dmp

Filesize
640KB

Download
memory/2872-1-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2872-2-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2872-13-0x0000000000C10000-0x0000000000C4D000-memory.dmp

Filesize
244KB

Download
memory/2872-12-0x0000000000C10000-0x0000000000C4D000-memory.dmp

Filesize
244KB

Download
memory/2872-15-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download