MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 063930ca4af89dcbaa0cd81d3c7a909358ca52842d421df5c73cc49fb8e6c5e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 063930ca4af89dcbaa0cd81d3c7a909358ca52842d421df5c73cc49fb8e6c5e1
SHA3-384 hash: 46ee6151b4b0c63b8410c5dc829c90939e960669c238f1df74d8cd008812f6a39451926c4afa2dff9174e11a35df040c
SHA1 hash: b8bb653e2d0b3c177a184cf3dd1f96528d89d1d6
MD5 hash: 6d3834c2958604a2436f2a6e50ae4a3a
humanhash: carolina-chicken-seventeen-ten
File name:6d3834c2958604a2436f2a6e50ae4a3a.exe
Download: download sample
Signature MarsStealer
Create hunting rule
File size:301'568 bytes
First seen:2023-09-22 15:03:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c162655c06b130468cfab3905d6d22e3 (1 x Smoke Loader, 1 x MarsStealer)
ssdeep 3072:nzyXz5zSp2LEwDJj4ZuP8u5h2VSe7BHWnwZ4MZCor0FH5iOg87dB:zyzpSwNJj2uPf5O7ywyyfr0Ng8Z
Threatray 440 similar samples on MalwareBazaar
TLSH T1D8548D03B3E2BC61E57646319E2AC6A83B3FB531AE69677F13584A2F08B01E1C573751
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70d0cec8d4d4d2dd (1 x MarsStealer)
Reporter abuse_ch
Tags:exe MarsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6d3834c2958604a2436f2a6e50ae4a3a.exe
Verdict:
Malicious activity
Analysis date:
2023-09-22 15:07:24 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/cac40e92-cf5e-4d8b-a4b2-453f46f0b6eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450642/
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.4898.32525.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
Gathering data
Verdict:
Suspicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/650dace533582f234effbf4f/reports/28942aba-c1b0-4bf3-9496-a1784c4584fe/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/063930ca4af89dcbaa0cd81d3c7a909358ca52842d421df5c73cc49fb8e6c5e1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7266fb3-1288-40ca-aed7-e92ed314dec7
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312985
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/063930ca4af89dcbaa0cd81d3c7a909358ca52842d421df5c73cc49fb8e6c5e1/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-22 02:05:37 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ay4tbssk7co4xkqm3aoty6uqsnmmuuuefvbb35ohhtcj7ohgyxqq._file
Verdict:
malicious
Similar samples:
3045545357b095b5e32bf2d338ec052cf035d88ec6d2ddd06ce545eaa7eea573
MarsStealer
5401590c0dd63cae68769ddba894fd5fc7f5b7bd97acb325f2d9c6c43798a27c
MarsStealer
561d0712bfdce76c6309a6d0cf1d53686077e01980952856299ceee81f880d02
MarsStealer
574b077dd3e9f8ec41d2cd919445b06d765af63da6c5fa55c02843c4a486f638
MarsStealer
596461203897b81f323698f038b2cb5a124e246e9b514fdded546efc9e336882
MarsStealer
7ead8e741e86da1488da1bc6793807380c26a09518a7532ea1247d4a69e82070
MarsStealer
897a17219c089cfd40d9bd5608d3a6a8d3e743913887477afa0672dc8425442b
MarsStealer
be6c808d95d56676eeb845ae082c950425a5048e99590ee3b888190e75cc8b8b
MarsStealer
dc7462bfef0b3d00d800f683b842eecc96c1839a12342f4decb0b88344297925
MarsStealer
f698d9fa8aec8b4c3ea3cddf1972726543ddb253611553dfb9cf1d49e7258926
MarsStealer
+ 430 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/230922-sfk8vaag42/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://bryanzachary.top
Unpacked files
SH256 hash:
40cf7a0db480dd80e1c2e6f8b6a92eb997a5a318656ef4367832928de11886bc
MD5 hash:
706928d29bf5a9d43ec40fafc73481df
SHA1 hash:
124c272b804865d8e30b8e9716534724a41d02cd
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/b9b1b248-0cd7-4052-9e18-27e340c73002/
Parent samples :
2373032b3ba33c3dc22498a3e10da2bd45f0223345495f7d9f76029c855ae492
b895d8570547395831cd65fc56546c0949405581b861c4354c77b82ac990233f
7ead8e741e86da1488da1bc6793807380c26a09518a7532ea1247d4a69e82070
106318f8a5c025270e181cf5ca8f39cf6644086b5ff763467ecd318a8fe211af
046c29b9d4f755cfe374d52418917670c2a076f475269563e7bc69bc4a2a7c96
57c66ca175ccbbd096a82295fa374327b90b7eabebf7c95752d856da92e4a8b7
e1a208a637e5c3f90a1dfe4a15407fb9dd2992a1e45e4160671f2575f3507d39
f53a80d4acd2ade409cac006689dbf86381154579b66705ed237e79613b99f9f
5a1769f623c6ee8b7b7c488ab030752a1234070b0cc2463540de93e9c40eab33
a8f129e213ff60a297ab08e090082a217bbf8a7a0722837d24d8e677e89608c2
da1a209778c07fc37e32841c3b692f446f11181eb76d788f046a4861142086da
1593dc6a32a51ecdb1ace6ce4b4b69e5c102710b802a4c4bee016d3f20635801
a20c54c6dcdf4873685aa12c7810150e190288a99cd363fac321bc49445ff168
be5b835367689df1b7766dea5c2e06c74217b756b350663fb85a48fb998ccc3c
c81fa46b63a77fcabb07e917378f7df25757a771ff3d4d3c2f789d17107836b1
f8d3bcd5cffb3aeb677c57c43240368c39886d19a2b6180cfe9f4cd0ad960b90
6a69d7c2ecf2222ab7f323e08215f324862cf334baf540b8dd52aa031c9cd941
ef3cb6c23d924b3f5d2334948173b46b5ead364d479a934bdcfed9b8f31d8d1a
a67779827175ff427b36cb7300ce48e10a8d714ce3c75e2d2cc2ad69503b7218
f5748244010e9e8c2cf4da8d7916c12b1bc808003d7f9e46da0e2adc85edf90a
945aeed364ed99757a00efd1873e8a1a86361e5cbb500e0590e64ce87619d594
05279302bbe02f362b1ae6fedd0801852cfc6a2cdaf0d79b67332dae99665d1e
4696940104e0afb7e75830241457db1b6f2c9e54b498afb2d3c5f3b0eb0d564b
5194a7881fb7664475387ffa968f52111ff04bec1c9c4c4a3ff3c37a86b0fcc4
063930ca4af89dcbaa0cd81d3c7a909358ca52842d421df5c73cc49fb8e6c5e1
182e4ae0f954779178c609f70c940202bdfadf24417e30f452a6e6b2ef808af7
6de33fc0084b434fb9ff8020c55cd080f6535e455e3b41a7ae7d843f410f8521
f68b8167482d208f65eb3234f3a3e2602cb4801104946061b0be0f3b440e3c5c
7c59665549676d552743527a5a96383abe8605c1e7bb2556ca32013ba9206c16
7ea53efe7909227d8d1c3b96df3f2194947459d09d6168e629dd1d089b3a9c42
2e6a082a870132c3c47e698398dd6fd3d7941d13737f00af1f70b730ef50ad2a
cc51fcc9c41ebae65c0bdcd5e0b0c8558f395c02f43fb848eaa794b246dab004
2970f93fdff86b1cfdce4bee35650f58bb2c8face78c7e9228ad6c697d3d5b40
ad3d0baaaf1aecbff668d96f6b33d13547cdce3f3ac67e438fd91966194128e7
SH256 hash:
063930ca4af89dcbaa0cd81d3c7a909358ca52842d421df5c73cc49fb8e6c5e1
MD5 hash:
6d3834c2958604a2436f2a6e50ae4a3a
SHA1 hash:
b8bb653e2d0b3c177a184cf3dd1f96528d89d1d6
Link:
https://www.unpac.me/results/b9b1b248-0cd7-4052-9e18-27e340c73002/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/063930ca4af8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/063930ca4af89dcbaa0cd81d3c7a909358ca52842d421df5c73cc49fb8e6c5e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Mars_Stealer
Create hunting rule
Author:@malgamy12
Description:detect_Mars_Stealer
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe 063930ca4af89dcbaa0cd81d3c7a909358ca52842d421df5c73cc49fb8e6c5e1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712461/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2709826/
  
URLhaus
https://urlhaus.abuse.ch/url/2712591/
Cape
Cape
https://www.capesandbox.com/analysis/450642/

Comments