Analysis
-
max time kernel
22s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 17:55
Behavioral task
behavioral1
Sample
MarsStealer8_cracked_by_LLCPPC.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
MarsStealer8_cracked_by_LLCPPC.exe
Resource
win10v2004-20240802-en
General
-
Target
MarsStealer8_cracked_by_LLCPPC.exe
-
Size
159KB
-
MD5
caa1ddfbbe03a5a5daeb718605daacb0
-
SHA1
1dc62e3529aaafb20c3ca16697deb5cf6792d83f
-
SHA256
fcec85746f0f2a92b1268830d6d0b075eb9080707358b93ba5fbd917b1a0a8ea
-
SHA512
fb805afdf01603eb5af3ee8807fcd42a04e49d3a106e945fa9ab57a68a5068bdfc19a685213d3601be228dfbfae52315953e2400be9051a283f6df0923518ce7
-
SSDEEP
3072:Um/E8k9ZjpIL+zNch12KbAwSaSbJSp8Bb8EG:N/E8k91zz6/t88EG
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MarsStealer8_cracked_by_LLCPPC.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2904 taskmgr.exe Token: SeSystemProfilePrivilege 2904 taskmgr.exe Token: SeCreateGlobalPrivilege 2904 taskmgr.exe Token: 33 2904 taskmgr.exe Token: SeIncBasePriorityPrivilege 2904 taskmgr.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MarsStealer8_cracked_by_LLCPPC.exe"C:\Users\Admin\AppData\Local\Temp\MarsStealer8_cracked_by_LLCPPC.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3028
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904