MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5
SHA3-384 hash: 5cd83f9e550d84446ae03080bcbbcb34028fa455851fbb97157240bd356bc3bf961f3ba9cb6a8053e5c9f2fc2d196c8f
SHA1 hash: 5bccfe4bbc92f7f7c535c75e5c345c8c6cd56f02
MD5 hash: 7bd092de7377de68b4f563563b616b10
humanhash: nuts-harry-michigan-moon
File name:file
Download: download sample
Signature MarsStealer
Create hunting rule
File size:334'376 bytes
First seen:2024-09-27 18:37:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:4xqtQERKoOzkzPdM6grTH06m/cr1DfBDIplsdyS38hYjpWO5yEO:NydZozPdMH/U6mkr5fd4mdbMcTEEO
TLSH T17A6423B54F484593FE6A0B31BDF69B31BB06F38A74034B854CD5C6768BCD783686A422
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:exe MarsStealer


Avatar
Bitsight
url: http://147.45.44.104/prog/66f6fb069f739_sgsfdgsda.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-27 18:39:14 UTC
Tags:
stealer stealc loader
Link:
https://app.any.run/tasks/1a0f698a-8198-43cd-a086-200b53746b82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilzilla-10036350-0
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f6fb8c79032805ce8e9956
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/66f6fb8cb240a2b637c864e1/reports/28ac7217-439a-48f8-8f25-7b7a543b6cae/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c30cd1f9-a19d-4a6e-87f3-867653884c45
Result
Threat name:
LummaC, RDPWrap Tool, LummaC Stealer, St
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1520748
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a new user with administrator rights
AI detected suspicious sample
Allocates memory in foreign processes
Allows multiple concurrent remote connection
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Enables remote desktop connection
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Outbound RDP Connections Over Non-Standard Tools
Sigma detected: RDP Sensitive Settings Changed
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected RDPWrap Tool
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520748 Sample: file.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 141 t.me 2->141 143 hansgborn.eu 2->143 145 4 other IPs or domains 2->145 167 Suricata IDS alerts for network traffic 2->167 169 Found malware configuration 2->169 171 Antivirus detection for dropped file 2->171 173 21 other signatures 2->173 12 file.exe 2 2->12         started        16 rdpvideominiport.sys 2->16         started        18 rdpdr.sys 2->18         started        20 tsusbhub.sys 2->20         started        signatures3 process4 file5 129 C:\Users\user\AppData\Local\...\file.exe.log, CSV 12->129 dropped 227 Contains functionality to inject code into remote processes 12->227 229 Writes to foreign memory regions 12->229 231 Allocates memory in foreign processes 12->231 233 Injects a PE file into a foreign processes 12->233 22 RegAsm.exe 41 12->22         started        27 RegAsm.exe 12->27         started        29 conhost.exe 12->29         started        31 RegAsm.exe 12->31         started        signatures6 process7 dnsIp8 147 46.8.231.109, 49707, 80 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 22->147 149 147.45.44.104, 49708, 49710, 80 FREE-NET-ASFREEnetEU Russian Federation 22->149 113 C:\Users\user\AppData\...\softokn3[1].dll, PE32 22->113 dropped 115 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 22->115 dropped 117 C:\Users\user\AppData\...\mozglue[1].dll, PE32 22->117 dropped 119 15 other files (11 malicious) 22->119 dropped 175 Tries to steal Mail credentials (via file / registry access) 22->175 177 Tries to harvest and steal browser information (history, passwords, etc) 22->177 179 Tries to steal Crypto Currency Wallets 22->179 181 Tries to harvest and steal Bitcoin Wallet information 22->181 33 cmd.exe 1 22->33         started        36 cmd.exe 1 22->36         started        38 cmd.exe 1 22->38         started        183 Found evasive API chain (may stop execution after checking locale) 27->183 185 Searches for specific processes (likely to inject) 27->185 file9 signatures10 process11 signatures12 165 Adds a new user with administrator rights 33->165 40 userKEGIDHJKKJ.exe 2 33->40         started        43 conhost.exe 33->43         started        45 userKKEHIEBKJK.exe 36->45         started        49 conhost.exe 36->49         started        51 userFCBAECGIEB.exe 2 38->51         started        53 conhost.exe 38->53         started        process13 dnsIp14 187 Multi AV Scanner detection for dropped file 40->187 189 Writes to foreign memory regions 40->189 191 Allocates memory in foreign processes 40->191 55 RegAsm.exe 1 200 40->55         started        60 conhost.exe 40->60         started        159 8.46.123.33, 3389, 49744 AS-PUBMATICUS United States 45->159 161 api.ipify.org 172.67.74.152, 49742, 80 CLOUDFLARENETUS United States 45->161 163 239.255.255.250 unknown Reserved 45->163 131 C:\Users\user\AppData\Local\...\RDPWInst.exe, PE32 45->131 dropped 193 Antivirus detection for dropped file 45->193 195 Machine Learning detection for dropped file 45->195 197 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->197 62 cmd.exe 45->62         started        64 cmd.exe 45->64         started        66 cmd.exe 45->66         started        72 3 other processes 45->72 199 Injects a PE file into a foreign processes 51->199 201 LummaC encrypted strings found 51->201 68 RegAsm.exe 51->68         started        70 conhost.exe 51->70         started        file15 signatures16 process17 dnsIp18 151 t.me 149.154.167.99, 443, 49734 TELEGRAMRU United Kingdom 55->151 153 cowod.hopto.org 45.132.206.251 LIFELINK-ASRU Russian Federation 55->153 155 bloodqwe.shop 104.21.73.223, 443, 49735, 49736 CLOUDFLARENETUS United States 55->155 121 C:\Users\user\AppData\...\freebl3[1].dll, PE32 55->121 dropped 123 C:\Users\user\AppData\Local\...\sql[1].dll, PE32 55->123 dropped 125 C:\Users\user\AppData\...\softokn3[1].dll, PE32 55->125 dropped 127 7 other files (5 malicious) 55->127 dropped 203 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 55->203 205 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 55->205 207 Tries to harvest and steal ftp login credentials 55->207 211 3 other signatures 55->211 74 KKKJEHCGCG.exe 55->74         started        77 AKFHCAKJDB.exe 55->77         started        79 RDPWInst.exe 62->79         started        82 conhost.exe 62->82         started        209 Adds a new user with administrator rights 64->209 88 2 other processes 64->88 90 2 other processes 66->90 157 ghostreedmnu.shop 188.114.97.3, 443, 49709, 49711 CLOUDFLARENETUS European Union 68->157 84 WerFault.exe 68->84         started        86 WerFault.exe 68->86         started        92 6 other processes 72->92 file19 signatures20 process21 file22 213 Writes to foreign memory regions 74->213 215 Allocates memory in foreign processes 74->215 217 Injects a PE file into a foreign processes 74->217 94 RegAsm.exe 74->94         started        111 2 other processes 74->111 97 conhost.exe 77->97         started        99 RegAsm.exe 77->99         started        133 C:\Program Files\RDP Wrapper\rdpwrap.dll, PE32+ 79->133 dropped 135 C:\Windows\System32\rfxvmt.dll, PE32+ 79->135 dropped 219 Multi AV Scanner detection for dropped file 79->219 221 Uses netsh to modify the Windows network and firewall settings 79->221 223 Allows multiple concurrent remote connection 79->223 225 2 other signatures 79->225 101 netsh.exe 79->101         started        137 C:\ProgramData\Microsoft\...\Report.wer, Unicode 84->137 dropped 139 C:\ProgramData\Microsoft\...\Report.wer, Unicode 86->139 dropped 103 net1.exe 88->103         started        105 net1.exe 90->105         started        107 net1.exe 92->107         started        109 net1.exe 92->109         started        signatures23 process24 signatures25 235 Tries to harvest and steal browser information (history, passwords, etc) 94->235
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5/
Threat name:
Win32.Spyware.Marsstealer
Create hunting rule
Status:
Malicious
First seen:
2024-09-27 18:38:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2x4hjgrs5wbigtfrfov7nhg7rlvnjmtz6l5endcn6aqpljbihkq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
rdpwrap
Create hunting rule
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/240927-w92dpswfrh/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
Stealc
Malware Config
C2 Extraction:
http://46.8.231.109
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/bf05a040-123a-4f61-99aa-f0a5c387ce17
Unpacked files
SH256 hash:
951b300428f46c2a12417414eb10796307cbe9016bbd22193e3250f77bb8190c
MD5 hash:
733e54187892b23b2b7653e79925a2f0
SHA1 hash:
bcd5bfca9eb9fc9bdced6a3a43a96baf598fcd80
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/2e154fb9-49e6-4723-b5a7-2994d31e59b8/
Parent samples :
6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524
c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008
8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616
2a9f856bc9fe5a41540aa3800cd8e50adfbfbc3661845a9791c02c13bcadddf6
56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5
84844b745d886eebbe814e0b9b05fd921a252019e27661a447a1103c8937f997
27055280296d10b811b4d76456dbc5d29aac8b4fc33708fa47b36334e1d85700
SH256 hash:
3986363fb8deb6927a153051c4d412001481d4cb60a113261c0e0402238bfef9
MD5 hash:
f5aa858b2cbbb784ca62b8891c9f557e
SHA1 hash:
f45f07667a035a43b06a5f43755e249a67a01f67
Link:
https://www.unpac.me/results/2e154fb9-49e6-4723-b5a7-2994d31e59b8/
SH256 hash:
56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5
MD5 hash:
7bd092de7377de68b4f563563b616b10
SHA1 hash:
5bccfe4bbc92f7f7c535c75e5c345c8c6cd56f02
Link:
https://www.unpac.me/results/2e154fb9-49e6-4723-b5a7-2994d31e59b8/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56afc3a4d197/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe 56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3194151/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments