MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 204c6f5f91619da30a5b6b5fa248c00479781e965b015f8b92e88bcc18f0b53c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 204c6f5f91619da30a5b6b5fa248c00479781e965b015f8b92e88bcc18f0b53c
SHA3-384 hash: 8f9d27ab95c22b25b06d9301b60e51d8fa22422f4b16aac3bc01b5981196da1647637b18649d6ae1ead92489ccbd1041
SHA1 hash: 3eef744a878e1cb0dbb9e8a7ed2e53b9ddec8e8b
MD5 hash: c2f1d7ea7f9001db4ce9e17ad0ceb091
humanhash: montana-football-april-helium
File name:file
Download: download sample
Signature MarsStealer
Create hunting rule
File size:1'850'880 bytes
First seen:2024-10-18 10:53:09 UTC
Last seen:2024-10-18 10:54:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:5P3dP0zaLQYdB9qYDhGF5gNUlGGOmiB9gPpGoRECMl:D0zaL1LEdg6lGGOH9gPpjRp
Threatray 184 similar samples on MalwareBazaar
TLSH T1768533335E70C4A0C8105BB9BAD2A2523B310F9085DAA8741DE7B9F3E577CDE9344DA6
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe MarsStealer


Avatar
Bitsight
url: http://185.215.113.103/steam/random.exe

Intelligence

File Origin
# of uploads :
17
# of downloads :
389
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-18 10:58:32 UTC
Tags:
lumma stealer themida opendir loader stealc amadey botnet
Link:
https://app.any.run/tasks/4c8df33a-9d3a-4344-bd73-188c007648b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67123e4c34f884d15c8ca873
Tags:
Exploit Spam Hype Onli
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/67123e4beba55d23dc7f5f23/reports/0cb62a20-0ecb-446a-8e75-4afda58cfb55/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/204c6f5f91619da30a5b6b5fa248c00479781e965b015f8b92e88bcc18f0b53c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b6fec186-6753-4e4d-9fd4-904d333afb4b
Result
Threat name:
Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1536966
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/204c6f5f91619da30a5b6b5fa248c00479781e965b015f8b92e88bcc18f0b53c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/204c6f5f91619da30a5b6b5fa248c00479781e965b015f8b92e88bcc18f0b53c/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2024-10-18 10:54:07 UTC
File Type:
PE (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebgg6x4rmgo2gcs3nnp2esgaar4xqhuwlmav7c4s5cf4yghqwu6a._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
204c6f5f91619da30a5b6b5fa248c00479781e965b015f8b92e88bcc18f0b53c
MarsStealer
782494d2b68eb1b91e399c379820801a350af5b3779a3182e9f58fccb56bd760
MarsStealer
8c71df132e0ef047762c84c871507eae43b334c24502ce36e72f0c2dbc6acd0c
MarsStealer
abb66702c0142f1c87cb3583fa3b30d0c39d266ee55748b86ba8c7bbc4da31a3
MarsStealer
c833a791cbbf8c968204594e9d2ae77ca8e3031bbb4af4aa0d4e46cc679b9893
MarsStealer
ebb1b01d61c7e3ac4578f7b7193bc2f0a70909195f5f311e2e49f4a9974ca9a8
MarsStealer
error
MarsStealer
f57963771c5b3d4171996301a28452a49f89a76f8812aec518e6c93e0af7ca93
MarsStealer
f849ec75c2f7c5e04a0eed780284321b184aab3be747579b0ed42b57da14bef9
MarsStealer
+ 174 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:doma discovery evasion stealer
Link:
https://tria.ge/reports/241018-mzjlgawamk/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stealc
Malware Config
C2 Extraction:
http://185.215.113.37
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/63df9b04-d83a-4742-a762-d8128489b099
Unpacked files
SH256 hash:
29e7e1c1e1a7e5f26f6961d8036cdd04ee4557dec0a7dcadcd8e7651f5e53f43
MD5 hash:
2ec23e83e2f63ab27c25741b1f4d7f49
SHA1 hash:
bb231b274bd66393fa830a44e6d4447d4399eeb9
Link:
https://www.unpac.me/results/02990499-2d5a-4932-b85a-b8011577f043/
SH256 hash:
29a326819f6c8ce2a2430b71c9cf7e07d925e7d2e41452123f90d4e99acb891f
MD5 hash:
dc228844cf12ec3fdda7f1a19adb6010
SHA1 hash:
3d321f00b05806ffcc651e9b4122e73438e5aab8
Detections:
stealc
Create hunting rule
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
detect_Mars_Stealer
Create hunting rule
Link:
https://www.unpac.me/results/02990499-2d5a-4932-b85a-b8011577f043/
SH256 hash:
204c6f5f91619da30a5b6b5fa248c00479781e965b015f8b92e88bcc18f0b53c
MD5 hash:
c2f1d7ea7f9001db4ce9e17ad0ceb091
SHA1 hash:
3eef744a878e1cb0dbb9e8a7ed2e53b9ddec8e8b
Link:
https://www.unpac.me/results/02990499-2d5a-4932-b85a-b8011577f043/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/204c6f5f9161/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/204c6f5f91619da30a5b6b5fa248c00479781e965b015f8b92e88bcc18f0b53c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe 204c6f5f91619da30a5b6b5fa248c00479781e965b015f8b92e88bcc18f0b53c

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3183446/
  
URLhaus
https://urlhaus.abuse.ch/url/3171133/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments