MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51d4a0ca42b1a0d5e63310e8872a7ecd9ed3046e9c72ef9d15d01b02b782c1ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51d4a0ca42b1a0d5e63310e8872a7ecd9ed3046e9c72ef9d15d01b02b782c1ef
SHA3-384 hash: 1aecc84a99e92db6c7371768df8410af0025a1ac9c58078a70e3c965e7b0b61e738636561f4000da1b2dd0d89e26a5c3
SHA1 hash: 6bec358a9d2d3827e550d55005c6dfeb33464619
MD5 hash: e02c5a17407e5b9094a1d433e52d451d
humanhash: jersey-diet-robin-sink
File name:7z2301-x64.exe
Download: download sample
Signature MarsStealer
Create hunting rule
File size:12'492'800 bytes
First seen:2023-09-12 15:14:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:ok9w8zW64Q0iEt8qr3MCVbz6FKsAuCzvcBcPoOwM/+ABBc0aQO9NF/PwQBLUuh2w:
Threatray 120 similar samples on MalwareBazaar
TLSH T1E6C6382439FA501AB173EFAA8BE479DADA6FB7733B07645D109003864723981DEC153E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter vovaan
Tags:exe MarsStealer


Avatar
vovaan
url : hxxps://filetransfer.io/data-package/UYPBhSWG

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
7z2301-x64.exe
Verdict:
Malicious activity
Analysis date:
2023-09-12 15:16:47 UTC
Tags:
arkei
Link:
https://app.any.run/tasks/b1c79a8a-7408-4843-b847-c1647302953d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448203/
Detection(s):
SecuriteInfo.com.Win32.KeyloggerX-gen.7481.19357.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Sending an HTTP GET request
DNS request
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/650080789bae8a3785541636/reports/442f8947-5efb-404c-835e-28c6b815c37f/overview
Verdict:
Malicious
Labled as:
MSIL.Binder.Generic
Link:
https://www.hybrid-analysis.com/sample/51d4a0ca42b1a0d5e63310e8872a7ecd9ed3046e9c72ef9d15d01b02b782c1ef
Result
Verdict:
MALICIOUS
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7bb59e2f-0567-47de-beec-7dad941862f4
Result
Threat name:
Mars Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1308576
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Sample uses string decryption to hide its real strings
Yara detected Mars stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308576 Sample: 7z2301-x64.exe Startdate: 15/09/2023 Architecture: WINDOWS Score: 80 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 11 other signatures 2->50 8 7z2301-x64.exe 6 2->8         started        process3 file4 36 C:\Users\user\AppData\...\54LFPC8D0FSAAZ.exe, PE32 8->36 dropped 11 54LFPC8D0FSAAZ.exe 6 8->11         started        15 conhost.exe 8->15         started        process5 file6 38 C:\Users\user\AppData\Local\...\O1KFQ62G.exe, PE32 11->38 dropped 40 C:\ProgramData\Microsoft\...\XY3TFGRC.exe, PE32 11->40 dropped 60 Antivirus detection for dropped file 11->60 62 Multi AV Scanner detection for dropped file 11->62 64 Machine Learning detection for dropped file 11->64 17 O1KFQ62G.exe 12 11->17         started        21 XY3TFGRC.exe 33 123 11->21         started        24 conhost.exe 11->24         started        signatures7 process8 dnsIp9 42 criminalaffair.com 17->42 52 Antivirus detection for dropped file 17->52 54 Multi AV Scanner detection for dropped file 17->54 56 Found evasive API chain (may stop execution after checking mutex) 17->56 58 4 other signatures 17->58 26 WerFault.exe 23 9 17->26         started        28 C:\Program Files\7-Zip\Uninstall.exe, PE32 21->28 dropped 30 C:\Program Files\7-Zip\7zG.exe, PE32+ 21->30 dropped 32 C:\Program Files\7-Zip\7zFM.exe, PE32+ 21->32 dropped 34 6 other malicious files 21->34 dropped file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51d4a0ca42b1a0d5e63310e8872a7ecd9ed3046e9c72ef9d15d01b02b782c1ef/
Threat name:
ByteCode-MSIL.Trojan.MarsStealer
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 15:15:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=khkkbsscwgqnlzrtcduiokt6zwpngbdotrzo7hiv2anqfn4cyhxq._file
Verdict:
malicious
Similar samples:
696d64c3563697e72f29c5929bb7071930e1ac13ea0ca338c4a4849398604c6b
MarsStealer
79c55c8612d1febdd0a41a5c27c74515ad1a0611b5a2c97fbde3d60fc976b545
MarsStealer
84fcfdfd2e35991c58ef96c71d56da83f6260ea76f9aab61fc33fc96ed0b9c69
MarsStealer
b36eafe154cffa7342e74e6b2d0834945c78b2b3b2b88709fc1d59121884e944
MarsStealer
c3e28416d68e5250a174a6379735a876637da5a303820036220a4c32039d2c59
MarsStealer
c63cd74507341e84f174c1a32f06c59c7bcbb4be7fb28e3d47b217fe992bdfa4
MarsStealer
ee496f1606f4f5efe8f45af252634f836502a05fb2d26950da0cbf53faebda23
MarsStealer
+ 110 additional samples on MalwareBazaar
Result
Malware family:
marsstealer
Create hunting rule
Score:
  10/10
Tags:
family:marsstealer botnet:default stealer
Link:
https://tria.ge/reports/230912-smwm6adf7s/
Behaviour
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Mars Stealer
Malware Config
C2 Extraction:
criminalaffair.com/wp-admin/admin-ajax.php
Unpacked files
SH256 hash:
b7fcd5a6466160d7b49ae527ad18f9222b1a44c8a256a8218a1632168177bca1
MD5 hash:
e5a1c3d04f8ec5d3aa604ccd5c4b8735
SHA1 hash:
fb90857368b494dd2a904841ede3408b7fde3ddd
Link:
https://www.unpac.me/results/e179bc89-ca49-4f75-8d11-3db32cded290/
SH256 hash:
b5f7f8f20717b2ba9750db9eba13584625c88c9438f2fc3a076013249f29a2ed
MD5 hash:
25312630cbab1e2801651aa7a3537ee3
SHA1 hash:
241252d6943e916fa11fddc816bc8c1321a7178c
Link:
https://www.unpac.me/results/e179bc89-ca49-4f75-8d11-3db32cded290/
SH256 hash:
56104eb9f2fed302d179c01eca511834bcc34f680988dd6f9a87fa155c144c87
MD5 hash:
7c97068ed68104ea9b342f24b55ba7cf
SHA1 hash:
b6a4aed68213f1966db8c3b4e836255b87d9262d
Link:
https://www.unpac.me/results/e179bc89-ca49-4f75-8d11-3db32cded290/
SH256 hash:
c62b43157b11a50feb521e3a382e37e86661992d7acf29cacf3b10bd9dd12f37
MD5 hash:
abd1da735575d6609dae6f4a1351f1b3
SHA1 hash:
4555d44d32db55fe945d6e67f820ace860c5e515
Link:
https://www.unpac.me/results/e179bc89-ca49-4f75-8d11-3db32cded290/
SH256 hash:
51d4a0ca42b1a0d5e63310e8872a7ecd9ed3046e9c72ef9d15d01b02b782c1ef
MD5 hash:
e02c5a17407e5b9094a1d433e52d451d
SHA1 hash:
6bec358a9d2d3827e550d55005c6dfeb33464619
Link:
https://www.unpac.me/results/e179bc89-ca49-4f75-8d11-3db32cded290/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51d4a0ca42b1a0d5e63310e8872a7ecd9ed3046e9c72ef9d15d01b02b782c1ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RSharedStrings
Create hunting rule
Author:Katie Kleemola
Description:identifiers for remote and gmremote
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe 51d4a0ca42b1a0d5e63310e8872a7ecd9ed3046e9c72ef9d15d01b02b782c1ef

(this sample)

  
Link
http://criminalaffair.com/wp-admin/admin-ajax.php
  
Dropped by
MarsStealer
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448203/

Comments