marsstealer | bfe1158258e04a58d37eab94edfe9cdf88438a0f7244747d73f81fd7c5798c4b

Resubmissions

11/04/2025, 22:36

250411-2jby1s1rt6 10

11/04/2025, 20:18

250411-y3ex8syxfw 10

11/04/2025, 19:48

250411-yjg89aytey 10

11/04/2025, 19:45

250411-ygltnaytct 10

Sharing

Copy URL

Twitter E-mail

General

Target

scary.exe
Size

75.3MB
Sample

250411-ygltnaytct
MD5

ca39d405dfa59baece7fdbfae5479674
SHA1

1c8b5c81ddb04c342a25518fe10be28294e323cf
SHA256

bfe1158258e04a58d37eab94edfe9cdf88438a0f7244747d73f81fd7c5798c4b
SHA512

5a5e37fc6e9148ed17cfb80657fd49a4d2346c5ab4e8311ea060bbe66829dc146b6feec45446163a334783279878eb89c3bb3bf2e5965fad333fd135e1712be5
SSDEEP

1572864:1X7oHaEUo7olZfWmsJme3ZwzCPSyeGEmjx/IwyVCOdjlBkhod8sz+cjpz0IE:1M98NWdhJwzCHeGfjNyMOdjDeodjUI

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

Mutex

1f65a787-81b8-4955-95e4-b7751e10cd50

Attributes

encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
install_name
Java Updater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
SubDir

Extracted

Family

stealerium

https://api.telegram.org/bot1616004787:AAH60oNqVa82nffKp0gB2yn5A_jmiTy0_XY/sendMessage?chat_id=

Extracted

Family

umbral

https://discord.com/api/webhooks/1360276909551915029/lC-vw7kRiqutkehNUDibMCgd2Hd6PFiq86JSv2ugXDPC7_FGRYRy6t4EL1s_Fy6LAyD6

Extracted

Path

C:\Users\Admin\AppData\Roaming\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Family

marsstealer

Botnet

Default

Extracted

Path

C:\Users\Admin\AppData\Roaming\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  scary.exe
- Size
  
  75.3MB
- MD5
  
  ca39d405dfa59baece7fdbfae5479674
- SHA1
  
  1c8b5c81ddb04c342a25518fe10be28294e323cf
- SHA256
  
  bfe1158258e04a58d37eab94edfe9cdf88438a0f7244747d73f81fd7c5798c4b
- SHA512
  
  5a5e37fc6e9148ed17cfb80657fd49a4d2346c5ab4e8311ea060bbe66829dc146b6feec45446163a334783279878eb89c3bb3bf2e5965fad333fd135e1712be5
- SSDEEP
  
  1572864:1X7oHaEUo7olZfWmsJme3ZwzCPSyeGEmjx/IwyVCOdjlBkhod8sz+cjpz0IE:1M98NWdhJwzCHeGfjNyMOdjDeodjUI
Score

10^/10

marsstealer modiloader quasar stealerium umbral wannacry default office04 bootkit credential_access defense_evasion discovery persistence ransomware spyware stealer trojan vmprotect worm execution
- Detect Umbral payload
- Mars Stealer
  An infostealer written in C++ based on other infostealers.
  stealer marsstealer
- Marsstealer family
  marsstealer
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Stealerium
  An open source info stealer written in C# first seen in May 2022.
  stealer stealerium
- Stealerium family
  stealerium
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- ModiLoader Second Stage
- Stops running service(s)
  defense_evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2 behavioral3