Malware Analysis Report

2025-01-18 18:18

Sample ID 241223-e74bvawlay
Target Mars Stealer 8 cracked.exe
SHA256 3417e9f342180604ef37d8269d0c45a5ea9518448816acde4af89f5069c59e9b
Tags
locky discovery pyinstaller ransomware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3417e9f342180604ef37d8269d0c45a5ea9518448816acde4af89f5069c59e9b

Threat Level: Known bad

The file Mars Stealer 8 cracked.exe was found to be: Known bad.

Malicious Activity Summary

locky discovery pyinstaller ransomware upx

Locky

Locky family

Loads dropped DLL

Executes dropped EXE

UPX packed file

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-23 04:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-23 04:35

Reported

2024-12-23 04:38

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"

Signatures

Locky

ransomware locky

Locky family

locky

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe C:\Users\Admin\AppData\Local\Temp\crack.exe
PID 2996 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe C:\Users\Admin\AppData\Local\Temp\crack.exe
PID 2996 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe C:\Users\Admin\AppData\Local\Temp\crack.exe
PID 2996 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe C:\Users\Admin\AppData\Local\Temp\crack.exe
PID 2996 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2996 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2996 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2996 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 988 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 988 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 988 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1944 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\crack.exe C:\Users\Admin\AppData\Local\Temp\crack.exe
PID 1944 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\crack.exe C:\Users\Admin\AppData\Local\Temp\crack.exe
PID 1944 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\crack.exe C:\Users\Admin\AppData\Local\Temp\crack.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe

"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"

C:\Users\Admin\AppData\Local\Temp\crack.exe

"C:\Users\Admin\AppData\Local\Temp\crack.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\crack.exe

"C:\Users\Admin\AppData\Local\Temp\crack.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\Panel\www\panel\assets\images\flags\re.png

MD5 c1cf1874c3305e5663547a48f6ad2d8c
SHA1 0f67f12d76a0543772a3259a3b38935381349e01
SHA256 79a39793efbf8217efbbc840e1b2041fe995363a5f12f0c01dd4d1462e5eb842
SHA512 c00e202e083f703e39cafbb86f3e3f6b330359906e3a6c7a6a78364d6adeb489f8b8ab1b2d6a1b8d9ef1a17702cfc8fc17219cf1aae3e5a7c18833f028037843

C:\Users\Admin\AppData\Local\Temp\Panel\www\panel\assets\images\flags\sj.png

MD5 559ce5baaee373db8da150a5066c1062
SHA1 ee80e5f63c986d04f46bff10f639113c88107ced
SHA256 f8dc302371c809ebda3e9183c606264601f8dd851d2b1878fd25f0f6abe2988c
SHA512 c0ca7595cdd2dcef0385ccb1c0d15bb74accaea63b9531233bddf14c1791ffc9712dff660292706cfa269a975d29d7a189885cd09046ac6d8ed39a57ec9557ca

\Users\Admin\AppData\Local\Temp\crack.exe

MD5 4fe30a23c39ba018087953089e06e700
SHA1 4a78d78c1f454a7f3d91413184ac061458c30d64
SHA256 12198899a031241840756a8eed1015904555bc04728dace270c4734c02e64030
SHA512 f62fd43cef647672debbe5a22a1461a885ad53e8f56ce426020f73064bfbf703d697e3a9e87ed5b4d8ec0b422c451477378bc7779460332bb02960349bd3ff05

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 e2eaae1faafbcb27b498ab773e936095
SHA1 a09bb8310da7332d63cc9a075fc51be9b256d0cd
SHA256 ee3c57bc5e701d433d3a1ec3352d44d26122987d0eacf48bb0d1a8daf3e19030
SHA512 255b59b795169df5c39c232c6af8c3d8a545f5c6b8662aa0a046a8fc90ade6abdde00316154c30cde2effabccdd229ebdfb62a44b55451e5fbd5d7e72c1d15c1

\Users\Admin\AppData\Local\Temp\_MEI9882\python312.dll

MD5 6f7c42579f6c2b45fe866747127aef09
SHA1 b9487372fe3ed61022e52cc8dbd37e6640e87723
SHA256 07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5
SHA512 aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-file-l2-1-0.dll

MD5 c3408e38a69dc84d104ce34abf2dfe5b
SHA1 8c01bd146cfd7895769e3862822edb838219edab
SHA256 0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453
SHA512 aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99

\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-timezone-l1-1-0.dll

MD5 e8af200a0127e12445eb8004a969fc1d
SHA1 a770fe20e42e2bef641c0591c0e763c1c8ba404d
SHA256 64d1ca4ead666023681929d86db26cfd3c70d4b2e521135205a84001d25187db
SHA512 a49b1ce5faf98af719e3a02cd1ff2a7ced1afc4fbf7483beab3f65487d79acc604a0db7c6ee21e45366e93f03fb109126ef00716624c159f1c35e4c100853eaf

\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-file-l1-2-0.dll

MD5 1f72ba20e6771fe77dd27a3007801d37
SHA1 db0eb1b03f742ca62eeebca6b839fdb51f98a14f
SHA256 0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4
SHA512 13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27

\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-processthreads-l1-1-1.dll

MD5 a55abf3646704420e48c8e29ccde5f7c
SHA1 c2ac5452adbc8d565ad2bc9ec0724a08b449c2d8
SHA256 c2f296dd8372681c37541b0ca8161b4621037d5318b7b8c5346cf7b8a6e22c3e
SHA512 c8eb3ec20821ae4403d48bb5dbf2237428016f23744f7982993a844c53ae89d06f86e03ab801e5aee441a83a82a7c591c0de6a7d586ea1f8c20a2426fced86f0

\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-localization-l1-2-0.dll

MD5 75ef38b27be5fa07dc07ca44792edcc3
SHA1 7392603b8c75a57857e5b5773f2079cb9da90ee9
SHA256 659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a
SHA512 78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc

\Users\Admin\AppData\Local\Temp\_MEI9882\ucrtbase.dll

MD5 9679f79d724bcdbd3338824ffe8b00c7
SHA1 5ded91cc6e3346f689d079594cf3a9bf1200bd61
SHA256 962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36
SHA512 74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd

memory/2468-948-0x000007FEF5750000-0x000007FEF5E15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI19442\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-23 04:35

Reported

2024-12-23 04:38

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe

"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe

"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

N/A