Analysis Overview
SHA256
3417e9f342180604ef37d8269d0c45a5ea9518448816acde4af89f5069c59e9b
Threat Level: Known bad
The file Mars Stealer 8 cracked.exe was found to be: Known bad.
Malicious Activity Summary
Locky
Locky family
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unsigned PE
Enumerates physical storage devices
Detects Pyinstaller
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-23 04:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-23 04:35
Reported
2024-12-23 04:38
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Locky
Locky family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\crack.exe | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\crack.exe | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"
C:\Users\Admin\AppData\Local\Temp\crack.exe
"C:\Users\Admin\AppData\Local\Temp\crack.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\crack.exe
"C:\Users\Admin\AppData\Local\Temp\crack.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\Panel\www\panel\assets\images\flags\re.png
| MD5 | c1cf1874c3305e5663547a48f6ad2d8c |
| SHA1 | 0f67f12d76a0543772a3259a3b38935381349e01 |
| SHA256 | 79a39793efbf8217efbbc840e1b2041fe995363a5f12f0c01dd4d1462e5eb842 |
| SHA512 | c00e202e083f703e39cafbb86f3e3f6b330359906e3a6c7a6a78364d6adeb489f8b8ab1b2d6a1b8d9ef1a17702cfc8fc17219cf1aae3e5a7c18833f028037843 |
C:\Users\Admin\AppData\Local\Temp\Panel\www\panel\assets\images\flags\sj.png
| MD5 | 559ce5baaee373db8da150a5066c1062 |
| SHA1 | ee80e5f63c986d04f46bff10f639113c88107ced |
| SHA256 | f8dc302371c809ebda3e9183c606264601f8dd851d2b1878fd25f0f6abe2988c |
| SHA512 | c0ca7595cdd2dcef0385ccb1c0d15bb74accaea63b9531233bddf14c1791ffc9712dff660292706cfa269a975d29d7a189885cd09046ac6d8ed39a57ec9557ca |
\Users\Admin\AppData\Local\Temp\crack.exe
| MD5 | 4fe30a23c39ba018087953089e06e700 |
| SHA1 | 4a78d78c1f454a7f3d91413184ac061458c30d64 |
| SHA256 | 12198899a031241840756a8eed1015904555bc04728dace270c4734c02e64030 |
| SHA512 | f62fd43cef647672debbe5a22a1461a885ad53e8f56ce426020f73064bfbf703d697e3a9e87ed5b4d8ec0b422c451477378bc7779460332bb02960349bd3ff05 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | e2eaae1faafbcb27b498ab773e936095 |
| SHA1 | a09bb8310da7332d63cc9a075fc51be9b256d0cd |
| SHA256 | ee3c57bc5e701d433d3a1ec3352d44d26122987d0eacf48bb0d1a8daf3e19030 |
| SHA512 | 255b59b795169df5c39c232c6af8c3d8a545f5c6b8662aa0a046a8fc90ade6abdde00316154c30cde2effabccdd229ebdfb62a44b55451e5fbd5d7e72c1d15c1 |
\Users\Admin\AppData\Local\Temp\_MEI9882\python312.dll
| MD5 | 6f7c42579f6c2b45fe866747127aef09 |
| SHA1 | b9487372fe3ed61022e52cc8dbd37e6640e87723 |
| SHA256 | 07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5 |
| SHA512 | aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec |
\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-file-l2-1-0.dll
| MD5 | c3408e38a69dc84d104ce34abf2dfe5b |
| SHA1 | 8c01bd146cfd7895769e3862822edb838219edab |
| SHA256 | 0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453 |
| SHA512 | aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99 |
\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | e8af200a0127e12445eb8004a969fc1d |
| SHA1 | a770fe20e42e2bef641c0591c0e763c1c8ba404d |
| SHA256 | 64d1ca4ead666023681929d86db26cfd3c70d4b2e521135205a84001d25187db |
| SHA512 | a49b1ce5faf98af719e3a02cd1ff2a7ced1afc4fbf7483beab3f65487d79acc604a0db7c6ee21e45366e93f03fb109126ef00716624c159f1c35e4c100853eaf |
\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1f72ba20e6771fe77dd27a3007801d37 |
| SHA1 | db0eb1b03f742ca62eeebca6b839fdb51f98a14f |
| SHA256 | 0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4 |
| SHA512 | 13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27 |
\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | a55abf3646704420e48c8e29ccde5f7c |
| SHA1 | c2ac5452adbc8d565ad2bc9ec0724a08b449c2d8 |
| SHA256 | c2f296dd8372681c37541b0ca8161b4621037d5318b7b8c5346cf7b8a6e22c3e |
| SHA512 | c8eb3ec20821ae4403d48bb5dbf2237428016f23744f7982993a844c53ae89d06f86e03ab801e5aee441a83a82a7c591c0de6a7d586ea1f8c20a2426fced86f0 |
\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 75ef38b27be5fa07dc07ca44792edcc3 |
| SHA1 | 7392603b8c75a57857e5b5773f2079cb9da90ee9 |
| SHA256 | 659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a |
| SHA512 | 78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc |
\Users\Admin\AppData\Local\Temp\_MEI9882\ucrtbase.dll
| MD5 | 9679f79d724bcdbd3338824ffe8b00c7 |
| SHA1 | 5ded91cc6e3346f689d079594cf3a9bf1200bd61 |
| SHA256 | 962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36 |
| SHA512 | 74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd |
memory/2468-948-0x000007FEF5750000-0x000007FEF5E15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI19442\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-23 04:35
Reported
2024-12-23 04:38
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
148s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |