General
-
Target
m0wsoI3.exe
-
Size
159KB
-
Sample
250317-pey7jaspz7
-
MD5
599e5d1eea684ef40fc206f71b5d4643
-
SHA1
5111931bba3c960d14b44871950c62249aeefff7
-
SHA256
2321c97ec6ac02f588357ad3d72df237f3042054f603851587c59eaef5ceb13c
-
SHA512
842149b31140a4f42597e016ecb8cb22f8e98919ac5e5cc646543fce78e021a022c1a67376856251463a342b51d7d8a16322b1b90bc817e76952e8bb08df0ac0
-
SSDEEP
3072:UjXEYZz5R/aCt5EwQvIlrycM7HNQoHPK9gsrk3rFXjo5JSp8Bb8EG:i/2Ct5EwQvIl9M7nHPK9dSc8EG
Malware Config
Extracted
marsstealer
Default
ctrlgem.xyz/gate.php
Targets
-
-
Target
m0wsoI3.exe
-
Size
159KB
-
MD5
599e5d1eea684ef40fc206f71b5d4643
-
SHA1
5111931bba3c960d14b44871950c62249aeefff7
-
SHA256
2321c97ec6ac02f588357ad3d72df237f3042054f603851587c59eaef5ceb13c
-
SHA512
842149b31140a4f42597e016ecb8cb22f8e98919ac5e5cc646543fce78e021a022c1a67376856251463a342b51d7d8a16322b1b90bc817e76952e8bb08df0ac0
-
SSDEEP
3072:UjXEYZz5R/aCt5EwQvIlrycM7HNQoHPK9gsrk3rFXjo5JSp8Bb8EG:i/2Ct5EwQvIl9M7nHPK9dSc8EG
Score10/10-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Marsstealer family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2