MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef
SHA3-384 hash: a0110f8a10d6c193d922aaedd327667b99ea8a2ac8280158886368c430af639a1321c885e3bd09715397218bf85cd2d1
SHA1 hash: 4bd1c441c55ec55a1cac7ca2bfe786a739cb01a4
MD5 hash: dfd49d1326704cfeee9852999782e4b6
humanhash: table-charlie-oven-fix
File name:dfd49d1326704cfeee9852999782e4b6.exe
Download: download sample
Signature MarsStealer
Create hunting rule
File size:334'888 bytes
First seen:2024-10-01 05:16:55 UTC
Last seen:2024-10-01 12:22:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:b0VDzBghICYEQ4pirMkbnahpDVD9oX8Wnde3Ka+DWYBemn1gGsvYBKKbM3itHqOk:YR6W7dUirtbMpDVD9oX8WnU3Fh+l1gsW
Threatray 1 similar samples on MalwareBazaar
TLSH T1786423B165A41577FE4A08F732FFE4552E7149616183D2BA2009987CDF837011BAF376
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe MarsStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
357
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
4f828f95c11479c61692052d9254022a.exe
Verdict:
Malicious activity
Analysis date:
2024-10-01 05:16:58 UTC
Tags:
vidar stealer loader lumma stealc
Link:
https://app.any.run/tasks/4192595d-9928-4306-8035-b4ea0b891167

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.8670.30258.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fb85d1936bd9db87720f1d
Tags:
Exploit Micro Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Searching for the window
Launching a process
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed stealc
Link:
https://www.filescan.io/uploads/66fb85d0fd0d7ccfe8486759/reports/6453214e-1a89-4292-abfd-7632c1548f11/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5198b5b1-f904-4f0b-be09-e109d5d0eb70
Result
Threat name:
LummaC, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1523130
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523130 Sample: hTR7xY0d0V.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 120 writekdmsnu.site 2->120 122 underlinemdsj.site 2->122 124 9 other IPs or domains 2->124 158 Suricata IDS alerts for network traffic 2->158 160 Found malware configuration 2->160 162 Malicious sample detected (through community Yara rule) 2->162 164 18 other signatures 2->164 15 hTR7xY0d0V.exe 2 2->15         started        signatures3 process4 file5 118 C:\Users\user\AppData\...\hTR7xY0d0V.exe.log, CSV 15->118 dropped 140 Contains functionality to inject code into remote processes 15->140 142 Writes to foreign memory regions 15->142 144 Allocates memory in foreign processes 15->144 146 Injects a PE file into a foreign processes 15->146 19 RegAsm.exe 39 15->19         started        24 conhost.exe 15->24         started        signatures6 process7 dnsIp8 126 46.8.231.109, 49707, 49750, 80 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 19->126 128 147.45.44.104, 49708, 49743, 80 FREE-NET-ASFREEnetEU Russian Federation 19->128 94 C:\Users\user\AppData\...\softokn3[1].dll, PE32 19->94 dropped 96 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 19->96 dropped 98 C:\Users\user\AppData\...\mozglue[1].dll, PE32 19->98 dropped 100 13 other files (9 malicious) 19->100 dropped 176 Tries to steal Mail credentials (via file / registry access) 19->176 178 Found evasive API chain (may stop execution after checking locale) 19->178 180 Tries to steal Crypto Currency Wallets 19->180 182 2 other signatures 19->182 26 cmd.exe 1 19->26         started        28 cmd.exe 1 19->28         started        file9 signatures10 process11 process12 30 userAAKKKEBFCG.exe 2 26->30         started        33 conhost.exe 26->33         started        35 userDGIJECGDGC.exe 2 28->35         started        37 conhost.exe 28->37         started        signatures13 200 Multi AV Scanner detection for dropped file 30->200 202 Machine Learning detection for dropped file 30->202 204 Writes to foreign memory regions 30->204 39 RegAsm.exe 1 131 30->39         started        44 conhost.exe 30->44         started        206 Allocates memory in foreign processes 35->206 208 Injects a PE file into a foreign processes 35->208 210 LummaC encrypted strings found 35->210 46 RegAsm.exe 35->46         started        48 conhost.exe 35->48         started        process14 dnsIp15 130 cowod.hopto.org 45.132.206.251, 49752, 80 LIFELINK-ASRU Russian Federation 39->130 132 49.12.197.9, 443, 49720, 49721 HETZNER-ASDE Germany 39->132 102 C:\Users\...\66fb287b4e6d5_vdfsgfd[1].exe, PE32 39->102 dropped 104 C:\Users\...\66fb253552d8d_sdhgdfsd[1].exe, PE32 39->104 dropped 106 C:\Users\user\...\66fb252026ae7_lfnd[1].exe, PE32 39->106 dropped 108 3 other malicious files 39->108 dropped 184 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->184 186 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->186 188 Tries to steal Crypto Currency Wallets 39->188 190 Tries to harvest and steal Bitcoin Wallet information 39->190 50 IIIDAKJDHJ.exe 39->50         started        53 DBFHDBGIEB.exe 39->53         started        55 GDGHIDBKJE.exe 39->55         started        57 cmd.exe 39->57         started        134 underlinemdsj.site 104.21.1.169, 443, 49709, 49745 CLOUDFLARENETUS United States 46->134 136 offeviablwke.site 172.67.197.40, 443, 49714, 49748 CLOUDFLARENETUS United States 46->136 138 steamcommunity.com 104.102.49.254, 443, 49711, 49719 AKAMAI-ASUS United States 46->138 file16 signatures17 process18 signatures19 148 Multi AV Scanner detection for dropped file 50->148 150 Machine Learning detection for dropped file 50->150 152 Writes to foreign memory regions 50->152 59 RegAsm.exe 50->59         started        73 3 other processes 50->73 154 Allocates memory in foreign processes 53->154 156 Injects a PE file into a foreign processes 53->156 63 conhost.exe 53->63         started        65 RegAsm.exe 53->65         started        67 RegAsm.exe 53->67         started        75 3 other processes 53->75 69 conhost.exe 55->69         started        71 RegAsm.exe 55->71         started        77 2 other processes 57->77 process20 file21 110 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 59->110 dropped 112 C:\Users\user\AppData\...\mozglue[1].dll, PE32 59->112 dropped 114 C:\Users\user\AppData\...\freebl3[1].dll, PE32 59->114 dropped 116 3 other files (2 malicious) 59->116 dropped 192 Tries to steal Mail credentials (via file / registry access) 59->192 194 Tries to harvest and steal ftp login credentials 59->194 196 Tries to harvest and steal browser information (history, passwords, etc) 59->196 198 2 other signatures 59->198 79 cmd.exe 59->79         started        81 cmd.exe 59->81         started        signatures22 process23 process24 83 userDHCAAEBKEG.exe 79->83         started        86 conhost.exe 79->86         started        88 userBAAAKJDAAF.exe 81->88         started        90 conhost.exe 81->90         started        signatures25 166 Multi AV Scanner detection for dropped file 83->166 168 Machine Learning detection for dropped file 83->168 170 Writes to foreign memory regions 83->170 92 conhost.exe 83->92         started        172 Allocates memory in foreign processes 88->172 174 Injects a PE file into a foreign processes 88->174 process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef/
Threat name:
Win32.Trojan.RedlineStealer
Create hunting rule
Status:
Malicious
First seen:
2024-10-01 01:55:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekakbqmhbdfv7uhasprpii2q4ox3r46kgh6te6p4pf5gyu2vglxq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01
MarsStealer
error
MarsStealer
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:stealc family:vidar botnet:8b4d47586874b08947203f03e4db3962 botnet:default credential_access discovery spyware stealer
Link:
https://tria.ge/reports/241001-fypyjawfpb/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Detect Vidar Stealer
Lumma Stealer, LummaC
Stealc
Vidar
Malware Config
C2 Extraction:
http://46.8.231.109
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
https://underlinemdsj.site/api
https://offeviablwke.site/api
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/b4a29444-97a1-40df-abd5-7389abbde8a1
Unpacked files
SH256 hash:
06f3daaedaefb6f74a31b3cfaec23e4290c50609c8cdacb33bd363e5fa0834ef
MD5 hash:
400efa3a374f435132c5eb4a7f809a95
SHA1 hash:
f72efa14ace9db4b6b7f77b7c8bac34a112bf521
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/a7a41b82-4802-4635-8d2b-a349208b33c5/
Parent samples :
2b8bcd9d7d072feb114e0436dc10aa80fda52cdd46a4948ea1ae984f74898375
2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3
c5a07fdd3ce7bee393285bef38dd7bc96386c33cba401d06187d0a10d479de6c
fb4298dbc61eb3ace5aa751f29a4b53bb20959fb39bde91095e1d18103149e18
2d63ff4e2c1bde1601315d12ea75a52c90b7e203f8a8e6140ab1da2e0d8a9554
1dc17bd6367dafd965adb0a12819f7efd6d5bc61585feceee69f6a09e4d1fc32
98a63017e0d5084ced9459e819a9586691062b1bbe5f2622069df90112201329
53f74c71c625da6b7ff77c3a61aad3be0ff4a7199ee447c57c0d12dbbfaccf32
20175d2f268bff73e352a5a5b85d987b8a5958311b1032251f7341def5396f4b
48fc88b91467d7f8781721313f69f8299e128ca190a95ff790d6ac23bd9a98d5
7ffc2e99e06f93704ab32bd39627ee66d1f114b89c45463eeb198af72de0613d
33ec381cf58df623bc6b3879a5aea2914034d42b885a2c61aaf10f6c2ab8cae4
3bc752d2803f660c3216bcfa6fcd3cfb03b21b8753d4bec32f4e679af854028a
9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8
33105a1685207694a3de20a03c82524fe8cd7f0f19fa85ba5d88d6b4d8457660
08fc29d1bcd3c1c9145a6cf9087ce892217c2d0312410d916dd8aa748a0479c6
33b0a6c0a93c8739f0a9de40a727c7d5dba9c9a0e6ffe65c7d3173082be2a73f
22595bd9120d6fad0bd0e8caf9700fe6ab5f2805c8903681baddb1bab83819c5
fde872c02c049b7b02d8dfa2d694fba47b8d300001c6cf0ec83f11634a7256dd
0cfea23100355dbb358f9355abe9acc2c93042e29027c9f547fab0c0084d6d63
66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849
ddf3c590d0cd0bf3f871c5baa3a84e14428cecf3a929fd2c40d483e3252d45ff
54c87130b16079039f3b1e1f406a794669ef4f66f3d26ebde713491e03a1ee08
7ad4282eca5f0d0ed47402d9c012b95623f114353cfd5f09aaf0aab343f8a8d7
441fa698045cf117642df2b3cb38a7729e3c96f8d807dcb60a89ee355dbfaffd
SH256 hash:
29e7e1c1e1a7e5f26f6961d8036cdd04ee4557dec0a7dcadcd8e7651f5e53f43
MD5 hash:
2ec23e83e2f63ab27c25741b1f4d7f49
SHA1 hash:
bb231b274bd66393fa830a44e6d4447d4399eeb9
Link:
https://www.unpac.me/results/a7a41b82-4802-4635-8d2b-a349208b33c5/
SH256 hash:
2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef
MD5 hash:
dfd49d1326704cfeee9852999782e4b6
SHA1 hash:
4bd1c441c55ec55a1cac7ca2bfe786a739cb01a4
Link:
https://www.unpac.me/results/a7a41b82-4802-4635-8d2b-a349208b33c5/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2280a0c18708/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mars Stealer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe 2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3203137/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments