MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MarsStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625
SHA3-384 hash:	1960615598e25ffa75f05662d5e15bf214d5d03041669191138b4d543e09d26ec392a95e05d5f5d1ce169bafdf005160
SHA1 hash:	64e85269651f0a475d0a94eb98cd3adbf3061e10
MD5 hash:	2e89a7aae558e9be86042e2bd7e65803
humanhash:	juliet-network-queen-purple
File name:	b123.exe
Download:	download sample
Signature	MarsStealer Create hunting rule
File size:	235'352 bytes
First seen:	2022-03-22 22:49:38 UTC
Last seen:	2022-03-23 00:55:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bae10aaa9e80d644f79420466068cc74 (1 x MarsStealer)
ssdeep	3072:iq0Je2P1VU4W3gwbBPWq3rZP55Zu3DtYyprz8gJy436s+OssN+uQSYftoyQ4tpvG:iq0rnURb0K742Ajx3qSYe94tpvURSYOc
Threatray	4'066 similar samples on MalwareBazaar
TLSH	T1A834BF1B71289E36E4663B308EBF9539431AD2A7F234C157E13EEEF8F615091966CE10
File icon (PE):
dhash icon	a4353232d5f9f4ec (1 x RedLineStealer, 1 x MarsStealer, 1 x ArkeiStealer)
Reporter	malware_traffic
Tags:	exe Mars Stealer MarsStealer

Intelligence

File Origin

# of uploads :

# of downloads :

276

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

K3362p2954.doc

Verdict:

Malicious activity

Analysis date:

2022-03-22 01:48:37 UTC

Tags:

macros ole-embedded macros-on-open generated-doc encrypted evasion trojan loader stealer arkei vidar

Link:

https://app.any.run/tasks/78c46aa7-bab1-4530-8446-71dea7db92d8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/255205/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.39315463.14273.27538.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10574/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

emotet greyware keylogger overlay packed virus zbot

Link:

https://www.filescan.io/uploads/623a52a2b94fb38cb4d2de4a/reports/61233b33-840d-4336-a5f3-96779f807bd9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

HanciTor

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d321cf2f-231e-4bee-af8f-1d7dd328ed28

Result

Threat name:

CryptOne Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/962155

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625/

Threat name:

Win32.Trojan.GenSteal

Status:

Malicious

First seen:

2022-03-21 17:21:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 41 (65.85%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oarkc3kfli5npdilx3vspe6lgxsiqiwducunt2vde374shoz4ysq._file

Verdict:

malicious

MarsStealer

3a2a1eff040a79d603b1ac2609a423ad8beb46d2876aa959f60dc98477707c0f

MarsStealer

5aefbefef1a5a2ee938f4d9c7705b6e38b375b858d21dae1efc137f36b29751d

MarsStealer

6b18a223ce8f1f42880a54809880cd5c3a6890955d2469b10ea771dab333871e

MarsStealer

7f19bc8eb8f0555986de478bc9a17a8e052f4a9262b0a19b924d8e9c66a01ca7

MarsStealer

90572b46120921941b9c004e411af18398a33de08d001e851965710d9b1c9860

MarsStealer

b2052d38af422bd9e54927e9d4606942e5f7da8c968ce7f441c62f9f49532a99

MarsStealer

c73fbcd3422e85b23bfa0e2d65ee0b35ecb344c7f1fe4d2827e45339137b356c

MarsStealer

de147d635d7404111032d34845dd05eddc00ae6ecf0814d89eed3c6a81c06629

MarsStealer

+ 4'056 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer suricata

Link:

https://tria.ge/reports/220322-2sagjsfhcn/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Arkei

suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

Malware Config

C2 Extraction:

http://sughicent.com/blaka.php

Unpacked files

SH256 hash:

eb764591fb9e827a70b3ee575c6b301b5218e401505e5e2c848e7c30065a06dd

MD5 hash:

bebdee452d78300ceb4c6188298f2d56

SHA1 hash:

b2e87bd5594e12763434dc10a09ac90371589046

Link:

https://www.unpac.me/results/abbf8993-0b8d-4acd-9969-367cbcbb9ff5/

SH256 hash:

7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625

MD5 hash:

2e89a7aae558e9be86042e2bd7e65803

SHA1 hash:

64e85269651f0a475d0a94eb98cd3adbf3061e10

Link:

https://www.unpac.me/results/abbf8993-0b8d-4acd-9969-367cbcbb9ff5/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7022a16d455a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/255205/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample