MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb
SHA3-384 hash: 2bcca4b6133023dcf6732e28c33f844f771dac6bca0eeb7118292b352b3fe9982ae6d1b317acd19e94a3a20d33ed93b6
SHA1 hash: 87fbf60e9ba1d60b546347632f1884fe1c531f0f
MD5 hash: f0c2a8ff2890cad08f17e607ccdda7fc
humanhash: utah-blue-six-cardinal
File name:Зоркий Глаз 5.409 (setup).exe
Download: download sample
Signature MarsStealer
Create hunting rule
File size:6'213'632 bytes
First seen:2023-10-03 15:42:33 UTC
Last seen:2023-10-03 16:37:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:9so8Likxo9IiDqmbTp15J+/EE8Yfbebq/9jTaOS9SW5NyBFTGbxN+owQ:
Threatray 3'421 similar samples on MalwareBazaar
TLSH T169560A242DFF508D7273EF654FD8B8FB895FF6632A0A64B9105103464723E81DDA2A39
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d0ce6aeca4b6a4c4 (1 x MarsStealer, 1 x njrat)
Reporter stealerkiller
Tags:crypted exe MarsStealer


Avatar
stealerkiller
MarsStealer C2 :
hxxp://rakishev[.]org/wp-load[.]php

Intelligence

File Origin
# of uploads :
2
# of downloads :
343
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://upnow-prod.ff45e40d1a1c8f7e7de4e976d0c9e555.r2.cloudflarestorage.com/CN0wc0YKp1QSWoVIxUUZI0IuU4c2/9e03e29e-1266-4916-ac86-b0fb16e30ee9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=cdd12e35bbd220303957dc5603a4cc8e%2F20231003%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20231003T153250Z&X-Amz-Expires=43200&X-Amz-Signature=89dab68a24e297172318399788c249b73b4e580681e5560fd52bff548a1b6331&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22%3F%3F%3F%3F%3F%3F%20%3F%3F%3F%3F%205.409%20%28setup%29.exe%22%3B%20filename%2A%3DUTF-8%27%27%25D0%2597%25D0%25BE%25D1%2580%25D0%25BA%25D0%25B8%25D0%25B8%2520%25D0%2593%25D0%25BB%25D0%25B0%25D0%25B7%25205.409%2520%2528setup%2529.exe
Verdict:
No threats detected
Analysis date:
2023-10-03 15:36:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7cce9dbe-a874-484a-83b5-9ffffa64c15f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.23733.2639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a window
Creating a file
Searching for the window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Gathering data
Verdict:
Malicious
Labled as:
MSIL.Binder.Generic
Link:
https://www.hybrid-analysis.com/sample/44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb
Result
Verdict:
MALICIOUS
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/082aedd6-f88d-42b0-b8bc-de79da2f097a
Result
Threat name:
Mars Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318847
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Drops executable to a common third party application directory
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Mars stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1318847 Sample: #U0417#U043e#U0440#U043a#U0... Startdate: 03/10/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 11 other signatures 2->53 8 #U0417#U043e#U0440#U043a#U0438#U0439_#U0413#U043b#U0430#U0437_5.409_(setup).exe 6 2->8         started        process3 file4 31 C:\Users\user\AppData\...\O4S4N03E.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\Local\...\3MFXEK8F.exe, PE32 8->33 dropped 63 Drops executable to a common third party application directory 8->63 12 O4S4N03E.exe 6 8->12         started        16 3MFXEK8F.exe 2 8->16         started        18 conhost.exe 8->18         started        signatures5 process6 file7 41 C:\ProgramData\USOPrivate\5KLAXNBFB6UJX.exe, PE32 12->41 dropped 65 Antivirus detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 20 5KLAXNBFB6UJX.exe 15 12->20         started        24 conhost.exe 12->24         started        43 C:\Users\user\AppData\Local\...\3MFXEK8F.tmp, PE32 16->43 dropped 26 3MFXEK8F.tmp 5 16->26         started        signatures8 process9 dnsIp10 45 rakishev.org 172.67.191.205, 49792, 80 CLOUDFLARENETUS United States 20->45 55 Antivirus detection for dropped file 20->55 57 Multi AV Scanner detection for dropped file 20->57 59 Found evasive API chain (may stop execution after checking mutex) 20->59 61 6 other signatures 20->61 29 WerFault.exe 21 9 20->29         started        35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 26->35 dropped 37 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 26->37 dropped 39 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 26->39 dropped file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb/
Threat name:
ByteCode-MSIL.Trojan.ReverseRat
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 15:43:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=itcccvxrnlrwmtblukxkfobcjpv5xsmolf4pk223cockriizc7vq._file
Verdict:
malicious
Similar samples:
0c330e44402e3428dcc2cfb3758a16637a74663c86c89acca347dd1ee4ac7775
MarsStealer
1bef39c614400011ce79530d0aa793f0ac9776f2394f98a06147f8097cf7b94e
MarsStealer
4fea2a47c88fd3a41494b00f04b03d3e00b0a87a4425987772df177aa422f119
MarsStealer
54a10b7eb52558053267f75fcd22603fcae21177adc499c3645d0a05697343c6
MarsStealer
7a8ade289fe2a902d0c3f496a19b4d64635e05120fc6ca37a2b9052ad7c3a7b7
MarsStealer
88a951915718243c52f744594072830e29f229f49009117f640cb7cc47aeea1e
MarsStealer
a4da273af035715653bb44a7ae39eb4f768c89f3156d8121e507cb13f556ff1b
MarsStealer
bcc36cf04e425f78fd84739510c01105b95accf91dc4495bf896176ce5fb9ab3
MarsStealer
e1b2b4ff7fa6917070b3b7a6f0d3f0bd37cd0ccb5f16fcf8a7560aade1457ff1
MarsStealer
f1b23f95a3f5725b0c8f77bffc1ac2c2c44aa91a163ed4a6604319bb82e65537
MarsStealer
+ 3'411 additional samples on MalwareBazaar
Result
Malware family:
marsstealer
Create hunting rule
Score:
  10/10
Tags:
family:marsstealer botnet:default stealer
Link:
https://tria.ge/reports/231003-s5w2mseh66/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Mars Stealer
Malware Config
C2 Extraction:
rakishev.org/wp-load.php
Unpacked files
SH256 hash:
5f239096c327b22c21c0205dde0d8dc4c41f458be802f74f54cdc5ba38921668
MD5 hash:
dc04cd84d39f8ad4354de37702a9a980
SHA1 hash:
db928ad60a7c29d5f5287b5f984d2e78fa64479a
Link:
https://www.unpac.me/results/3b39c173-0be0-4717-bd66-ebffbed13ea7/
SH256 hash:
b34c6fa3634b5c3cc501bf21d72e82cd57b4bd9e32d22fb4e31f7d83d852b691
MD5 hash:
0541dbe9dc3430860997086e63db74a9
SHA1 hash:
ba922c9fb5eb75ac97ceba4c54c423f8e89d8eb5
Link:
https://www.unpac.me/results/3b39c173-0be0-4717-bd66-ebffbed13ea7/
SH256 hash:
3224dbd2628d5ea949279bc0628fb75ebddfb540202f9e5c9fad91357a3247fd
MD5 hash:
66ca4b86bc4e2d6c5c0749a747664f2c
SHA1 hash:
0a6fb0407d6dd23de82172a99dfa0e18048db95a
Link:
https://www.unpac.me/results/3b39c173-0be0-4717-bd66-ebffbed13ea7/
SH256 hash:
a75968560c738f4f874f4d61c5d3e9d7a26ef3592f766a06390b7524e1fc71b5
MD5 hash:
dba6c02d04cc54ea6d1a3591b6ad2dd6
SHA1 hash:
7eaabd86e96bc0b1f996a895a6faf8e1074e809e
Link:
https://www.unpac.me/results/3b39c173-0be0-4717-bd66-ebffbed13ea7/
SH256 hash:
44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb
MD5 hash:
f0c2a8ff2890cad08f17e607ccdda7fc
SHA1 hash:
87fbf60e9ba1d60b546347632f1884fe1c531f0f
Link:
https://www.unpac.me/results/3b39c173-0be0-4717-bd66-ebffbed13ea7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe 44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb

(this sample)

anyrun
any.run
https://app.any.run/tasks/fdf7c489-1a35-431b-96bf-3ee655f2af1d
  
Dropping
MarsStealer
  
Delivery method
Distributed via web download

Comments