Overview

overview

10

Static

static

3

32429b9055...75.exe

windows7-x64

10

32429b9055...75.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 01:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe

  • Size

    619KB

  • MD5

    ba6e7e1e9161199cda53984e8797add7

  • SHA1

    c4ad796a18ffab0ef5f7df1a0db302114a4826d1

  • SHA256

    32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775

  • SHA512

    7cda7fc206a871949955bdc5dba5f0d53673b637d5a48c42be2095b461b83a5916c43e4037eb77c353cf01838c860f3ab31ce8f5b38631088578de107eba9b66

  • SSDEEP

    12288:K5XTI5PwjN7SJxjHhXXBVDgIQ7JMKjK5+GbKGvOs2JCo/bSJBoFnCMX6k:KppbjjaatFKk

Score
10/10
marsstealerdefaultstealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

  • Mars Stealer

    An infostealer written in C++ based on other infostealers.

    stealermarsstealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe
    "C:\Users\Admin\AppData\Local\Temp\32429b9055e49788020d2baccfd472075a26cbdd1c70d0693150cdf963975775.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\M3KG4QS.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\M3KG4QS.exe"
      2⤵
      • Executes dropped EXE
      PID:2556

Network

  • flag-us
    DNS
    kenesrakishev.net
    M3KG4QS.exe
    Remote address:
    8.8.8.8:53
    Request
    kenesrakishev.net
    IN A
    Response
    kenesrakishev.net
    IN A
    173.201.180.75
  • 173.201.180.75:80
    kenesrakishev.net
    M3KG4QS.exe
    152 B
     3
  • 173.201.180.75:80
    kenesrakishev.net
    M3KG4QS.exe
    152 B
     3
  • 173.201.180.75:80
    kenesrakishev.net
    M3KG4QS.exe
    152 B
     3
  • 8.8.8.8:53
    kenesrakishev.net
    dns
    M3KG4QS.exe
    63 B
     79 B
     1
    1

    DNS Request

    kenesrakishev.net

    DNS Response

    173.201.180.75

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\M3KG4QS.exe
    Filesize

    159KB

    MD5

    6c919bd1a5cf9a961aabade412f587cb

    SHA1

    5faaf4f33cb37eae2dc909d9b01c46bd9c7eb198

    SHA256

    dcfd1325f755080466602c7dcf44588b2e57ba7e59c47ba561d750c0f28a4be1

    SHA512

    de5a6e11b85ed4c5b13492f0b679f00c419a2d0f2ff06547cd385af34ae0ca3d0de614f082b2b03095e8c10bed2c304e123a2ad4ee56d687aeb5ebbab5399967

    Download Submit

  • memory/2556-14-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2872-0-0x0000000000E00000-0x0000000000EA0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2872-1-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2872-2-0x0000000004CF0000-0x0000000004D30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2872-13-0x0000000000C10000-0x0000000000C4D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2872-12-0x0000000000C10000-0x0000000000C4D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2872-15-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.