MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0263a7b7b320557d572427e2554c6ccee555e2bbcf7557df0bee05d652b8478d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0263a7b7b320557d572427e2554c6ccee555e2bbcf7557df0bee05d652b8478d
SHA3-384 hash: 9fe1fd988b80b2430924be9ba75f5845e22dffcd8f81f40c1b6046ab4990778611151384f849dd89ab9f0fd444c76d1a
SHA1 hash: 5d120a04f17c41dea840813924e1db09f37ec9ec
MD5 hash: 0e401858f3a6fd114c894782e678d9b6
humanhash: skylark-august-tennessee-black
File name:file
Download: download sample
Signature MarsStealer
Create hunting rule
File size:2'145'792 bytes
First seen:2024-11-04 00:05:55 UTC
Last seen:2024-11-04 01:28:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:UtoRb03QUOoE1+25Yw1oEAn+eKCLRzrUS8ClipnAcs6n:UtlAUd+YIoEA+/aRz38Tf
TLSH T173A5330D15B3BDADCE8DC7F7BBEA982FE780CD58A5E61E0359548C1F795240806E062E
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe MarsStealer


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
26
# of downloads :
451
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-04 00:08:01 UTC
Tags:
lumma stealer stealc loader themida amadey botnet
Link:
https://app.any.run/tasks/d8c66ec5-c486-4a21-855f-86b5ba80cb29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.17727.3352.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67280ff48d23d90491333bae
Tags:
vmdetect autorun autoit spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67280fedf34fcc4d759967c3/reports/950169fe-83b6-4438-83b2-f7396b0138a8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0263a7b7b320557d572427e2554c6ccee555e2bbcf7557df0bee05d652b8478d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3f7ec8e8-95f6-40fc-b6b8-b27fc87afe21
Result
Threat name:
LummaC, Amadey, Credential Flusher, Stea
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1548122
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548122 Sample: file.exe Startdate: 04/11/2024 Architecture: WINDOWS Score: 100 97 thumbystriw.store 2->97 99 steamcommunity.com 2->99 101 22 other IPs or domains 2->101 133 Suricata IDS alerts for network traffic 2->133 135 Found malware configuration 2->135 137 Antivirus detection for dropped file 2->137 139 15 other signatures 2->139 9 skotes.exe 4 26 2->9         started        14 file.exe 37 2->14         started        16 skotes.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 119 185.215.113.43, 49791, 49803, 80 WHOLESALECONNECTIONSNL Portugal 9->119 79 C:\Users\user\AppData\...\53e198cb32.exe, PE32 9->79 dropped 81 C:\Users\user\AppData\...\f988488245.exe, PE32 9->81 dropped 83 C:\Users\user\AppData\...\5a22e2bac0.exe, PE32 9->83 dropped 91 5 other malicious files 9->91 dropped 165 Creates multiple autostart registry keys 9->165 167 Hides threads from debuggers 9->167 169 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->169 20 53e198cb32.exe 9->20         started        23 eb8b097d9f.exe 9->23         started        26 5a22e2bac0.exe 13 9->26         started        28 f988488245.exe 9->28         started        121 185.215.113.16, 49760, 49809, 80 WHOLESALECONNECTIONSNL Portugal 14->121 123 185.215.113.206, 49730, 49748, 80 WHOLESALECONNECTIONSNL Portugal 14->123 125 127.0.0.1 unknown unknown 14->125 85 C:\Users\user\DocumentsDHCGHDHIDH.exe, PE32 14->85 dropped 87 C:\Users\user\AppData\...\softokn3[1].dll, PE32 14->87 dropped 89 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->89 dropped 93 13 other files (9 malicious) 14->93 dropped 171 Detected unpacking (changes PE section rights) 14->171 173 Attempt to bypass Chrome Application-Bound Encryption 14->173 175 Drops PE files to the document folder of the user 14->175 185 9 other signatures 14->185 30 cmd.exe 1 14->30         started        32 chrome.exe 14->32         started        177 Antivirus detection for dropped file 16->177 179 Machine Learning detection for dropped file 16->179 181 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->181 183 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->183 34 firefox.exe 18->34         started        37 firefox.exe 18->37         started        39 5 other processes 18->39 file6 signatures7 process8 dnsIp9 141 Multi AV Scanner detection for dropped file 20->141 143 Detected unpacking (changes PE section rights) 20->143 145 Machine Learning detection for dropped file 20->145 163 4 other signatures 20->163 105 founpiuer.store 104.21.5.155 CLOUDFLARENETUS United States 23->105 107 packagednyb.cyou 188.114.96.3 CLOUDFLARENETUS European Union 23->107 115 2 other IPs or domains 23->115 147 Antivirus detection for dropped file 23->147 149 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->149 151 Tries to evade debugger and weak emulator (self modifying code) 23->151 153 LummaC encrypted strings found 23->153 155 Hides threads from debuggers 26->155 157 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->157 159 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 26->159 161 Binary is likely a compiled AutoIt script file 28->161 41 taskkill.exe 28->41         started        43 taskkill.exe 28->43         started        56 4 other processes 28->56 45 DocumentsDHCGHDHIDH.exe 4 30->45         started        49 conhost.exe 30->49         started        109 192.168.2.4, 443, 49730, 49734 unknown unknown 32->109 111 239.255.255.250 unknown Reserved 32->111 51 chrome.exe 32->51         started        113 youtube.com 142.250.185.238 GOOGLEUS United States 34->113 117 5 other IPs or domains 34->117 77 C:\Users\user\AppData\...\places.sqlite-wal, SQLite 34->77 dropped 58 2 other processes 34->58 54 firefox.exe 37->54         started        60 5 other processes 39->60 file10 signatures11 process12 dnsIp13 62 conhost.exe 41->62         started        64 conhost.exe 43->64         started        95 C:\Users\user\AppData\Local\...\skotes.exe, PE32 45->95 dropped 187 Antivirus detection for dropped file 45->187 189 Detected unpacking (changes PE section rights) 45->189 191 Machine Learning detection for dropped file 45->191 193 6 other signatures 45->193 66 skotes.exe 45->66         started        103 www.google.com 142.250.185.68, 443, 49734, 49735 GOOGLEUS United States 51->103 69 firefox.exe 54->69         started        71 conhost.exe 56->71         started        73 conhost.exe 56->73         started        75 conhost.exe 56->75         started        file14 signatures15 process16 signatures17 127 Hides threads from debuggers 66->127 129 Tries to detect sandboxes / dynamic malware analysis system (registry check) 66->129 131 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 66->131
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0263a7b7b320557d572427e2554c6ccee555e2bbcf7557df0bee05d652b8478d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0263a7b7b320557d572427e2554c6ccee555e2bbcf7557df0bee05d652b8478d/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2024-11-04 00:06:13 UTC
File Type:
PE (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajr2pn5tebkx2vzee7rfktdmz3svlyv3z52vpxyl5yc5muvyi6gq._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:tale credential_access discovery evasion spyware stealer
Link:
https://tria.ge/reports/241104-adrczayarg/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.206
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/e9f99dee-8928-47e0-bdef-23297b17daa6
Unpacked files
SH256 hash:
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
MD5 hash:
eda18948a989176f4eebb175ce806255
SHA1 hash:
ff22a3d5f5fb705137f233c36622c79eab995897
Link:
https://www.unpac.me/results/1a12190c-85dc-4f70-89f1-40a7b836897c/
SH256 hash:
dc00b28f9601c754e69f567935064344ee9bf2cad30fd04a8ae63837b1083d43
MD5 hash:
69ddc3d868c7e915b9cc3a76b96ca65c
SHA1 hash:
ae56432893d80bfbc7e558e0fabb389d3ade54fa
Detections:
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
detect_Mars_Stealer
Create hunting rule
Link:
https://www.unpac.me/results/1a12190c-85dc-4f70-89f1-40a7b836897c/
SH256 hash:
0263a7b7b320557d572427e2554c6ccee555e2bbcf7557df0bee05d652b8478d
MD5 hash:
0e401858f3a6fd114c894782e678d9b6
SHA1 hash:
5d120a04f17c41dea840813924e1db09f37ec9ec
Link:
https://www.unpac.me/results/1a12190c-85dc-4f70-89f1-40a7b836897c/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0263a7b7b320/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0263a7b7b320557d572427e2554c6ccee555e2bbcf7557df0bee05d652b8478d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe 0263a7b7b320557d572427e2554c6ccee555e2bbcf7557df0bee05d652b8478d

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3079150/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments