MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29f23979e3b541ca8955fcbd3a0f9cadbdf92c0df65ba495eeb98bd1e154bc6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MarsStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments 1

SHA256 hash:	29f23979e3b541ca8955fcbd3a0f9cadbdf92c0df65ba495eeb98bd1e154bc6d
SHA3-384 hash:	8b4bd797089c32f0b4982045e1707d73b8c376757e600a80de347c94905013f0b2a7fdf6ad635dad5a399c9ca726beb8
SHA1 hash:	4ece19672c0a131aaf9328c753e8f7fc9239ef11
MD5 hash:	001240676293a2fd74cc8ba790d5806d
humanhash:	fish-network-wolfram-jersey
File name:	001240676293a2fd74cc8ba790d5806d
Download:	download sample
Signature	MarsStealer Create hunting rule
File size:	361'472 bytes
First seen:	2023-07-26 10:49:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	28e47df11fcc31ecc5eec0c4cd0746c2 (2 x RedLineStealer, 1 x MarsStealer, 1 x Smoke Loader)
ssdeep	3072:HaouFGFBLMgLqHuqH5jeNsypZQqSvHT0lEiL2E5g91RMwwlGvPGT1lTUZ:6oPFBLMgLhsyjQqcHT0uiLK97Xjv+HT
Threatray	30 similar samples on MalwareBazaar
TLSH	T1FC74C74383A9BF44D9A54B739E2FEAF8B60DF650CF4D3B65A1289E1F00B51B2D163610
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	1030c09030381800 (1 x MarsStealer, 1 x Smoke Loader, 1 x Glupteba)
Reporter	zbetcheckin
Tags:	32 exe MarsStealer

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

001240676293a2fd74cc8ba790d5806d

Verdict:

Malicious activity

Analysis date:

2023-07-26 10:51:43 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/4f182014-b3be-45b3-b799-776794274e1c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/433533/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/29f23979e3b541ca8955fcbd3a0f9cadbdf92c0df65ba495eeb98bd1e154bc6d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/07fb707f-1578-4bf3-8e88-a365d60bc608

Result

Threat name:

Stealc

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1280052

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Yara detected Stealc

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/29f23979e3b541ca8955fcbd3a0f9cadbdf92c0df65ba495eeb98bd1e154bc6d/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-07-26 10:50:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fhzds6pdwva4vckv7s6tud44vw67slan6zn2jfpoxgf5dykuxrwq._file

Verdict:

malicious

MarsStealer

0ac7f379b3325d3b367cda31efc43ddf96e2b3f0426cc4d7d4912add6ef8d87c

MarsStealer

2c1345b32de4f6f1c2f60fd25cde9e0817830a0d3eb626dcc82504b7b73566d2

MarsStealer

39e419e214eb8eaec3044defec6894257fc814681c4239e9831bf8458c33b7a9

MarsStealer

3f76054b9bf791ef9397df1dc505e7cc8dcb87a39a2e238e71693dd0c3c3553b

MarsStealer

68afe1c1cef069a7386dd3a8d406d291d0da0ff654a5fc741cce02b7d54a434b

MarsStealer

970a7ff3bab4b5fffe226cf5e66d997c9a8692623c2fa17fb5e2d35b16686564

MarsStealer

c4b6bb4bd33e3ef107781a21eb0dedb82dbe90c4e9d6f0b19620c8940e18fa6b

MarsStealer

d87502f99648aac5100598129fd31648afb3dce99bfaf4274dce3997c1bfa6d7

MarsStealer

f244a694cb0f831e3fd68edf484444700378106be5fe03cc5b3dfd6125331871

MarsStealer

+ 20 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/230726-mw9cqaah69/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

a67ebefdcae4ba5d76bce770a4920256e84195bef3a4702d967be7e5b8181c12

MD5 hash:

7055fcde2b7f39ef7f8007b3bfc1a0bf

SHA1 hash:

676adecade4e2b6c3275ca39ac65059c1863509f

Link:

https://www.unpac.me/results/af743b33-b861-48b6-adfb-88cfdc114c85/

SH256 hash:

29f23979e3b541ca8955fcbd3a0f9cadbdf92c0df65ba495eeb98bd1e154bc6d

MD5 hash:

001240676293a2fd74cc8ba790d5806d

SHA1 hash:

4ece19672c0a131aaf9328c753e8f7fc9239ef11

Link:

https://www.unpac.me/results/af743b33-b861-48b6-adfb-88cfdc114c85/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/29f23979e3b5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/29f23979e3b541ca8955fcbd3a0f9cadbdf92c0df65ba495eeb98bd1e154bc6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Mars_Stealer Create hunting rule
Author:	@malgamy12
Description:	detect_Mars_Stealer

Rule name:	infostealer_win_stealc_standalone Create hunting rule
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	sus_pe_free_without_allocation Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_stealc_w0 Create hunting rule
Author:	crep1x
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/